Manage Local Administrator Passwords (LAPS)

Having to managed local password across a network can be a pain. Some people find they need to jumping onto each computer to reset the password which can be time very consuming for a lot of sysadmins. There are tools out there that make these things easier but Microsoft have their own tool called LAPS (Local Administrator Password Solution).

How does LAPS work?

As stated under the LAPS download page:

The core of the LAPS solution is a GPO client-side extension (CSE) that performs the following tasks and can enforce the following actions during a GPO update:

  • Checks whether the password of the local Administrator account has expired.
  • Generates a new password when the old password is either expired or is required to be changed prior to expiration.
  • Validates the new password against the password policy.
  • Reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory.
  • Reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory.
  • Changes the password of the Administrator account.
  • The password then can be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.

Features of LAPS include:

  • Security that provides the ability to:
    • Randomly generate passwords that are automatically changed on managed machines.
    • Effectively mitigate PtH attacks.
    • Enforced password protection during transport via encryption using the Kerberos version 5 protocol.
    • Use access control lists (ACLs) to protect passwords in Active Directory and easily implement a detailed security model.
  • Manageability that provides the ability to:
    • Configure password parameters, including age, complexity, and length.
    • Force password reset on a per-machine basis.
    • Use a security model that is integrated with ACLs in Active Directory.
    • Use any Active Directory management tool of choice; custom tools, such as Windows PowerShell, are provided.
    • Protect against computer account deletion.
    • Easily implement the solution with a minimal footprint.

System Requirements

  • Supported Operating Systems: Windows 10 , Windows 7, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
  • Active Directory: (requires AD schema extension)
    Windows 2003 SP1 or later.
  • Managed machines:
    Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later.
  • Management tools:
    NET Framework 4.0
    PowerShell 2.0 or later

You can download the Local Administrator Password Solutions directly Download LAPS.