Local Administrator Password Management (LAPS)

A few weeks ago, Microsoft published a new tool – named “LAPS” – which is available for free. You will have the possibility to manage your local admin passwords for all your clients without special scripting. Since it’s not possible anymore to change the password through Group Policy Preferences, this is a nice way to do it.

You can schedule through GPO, when the password for the local administrator will be changed (how long it is valid…) and how complex it has to be. Every client has a different password, which is written back to the Active Directory. What’s needed and how you can configure it is written here.


Download the LAPS application here.

Schema Upgrade

  • Install the LAPS Application on the DC (Powershell Module and GPO Editor Templates are needed).
  • Start Powershell as admin, import the module “AdmPwd.PS” and upgrade the schema with a schema admin account:
    Import-module AdmPwd.PS

–> Two new AD attributes will be created: ms-Mcs-AdmPwd and ms-Mcs and AdmPwdExpirationTime

Set permission to write password to Active Directory

The clients (SELF) will need the permission to write the password and the expiration date to the Active Directory (ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime). The following powershell command will do this:

Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>

Set permission to read the password from Active Directory

Additionally you have to set, who can read the ms-Mcs-AdmPwd Attribut in Active Directory.

Create an Active Directory Group and give the permission with the following powershell command:

Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

Software on Clients (GPO Extension)

You have to install the LAPS tool on every client, so he has the needed GPO extensions available. The default installation through the MSI installs and registers only a dll.

  • Deploy the LAPS on the clients or deploy and register the AdmPwd.dll
    msiexec /i laps.x64.msi /qn

Group Policy (GPO)

The installation of the full LAPS tool on a management client will copy the AdmPwd.admx to c:\Windows\PolicyDefinitions and the AdmPwd.adml file to c:\Windows\PolicyDefinitions\en-US. Copy this admx file to your Domain Controller respectively to your central store for admx files (c:\windows\sysvol\sysvol\%domain%\policies\policydefinitions) and the ADML file to the subfolder en-US.

  • Configure the GPO for the clients “Computer Configuration\Policies\Administrative Templates\LAPS”. The following settings are available:





Password Settings


Password Complexitiy


Password Length


Password Age (Days)


Name of administrator account to manage

Not configured

Administrator Account name

Only needed if not used the built-in admin account *

Do not allow password expiration time longer than required by policy

Enabled / Disable


Enable local admin password management



Main setting to enable or disable the password management

* if you renamed the local administrator account it is still working because it looks for the SID.

  • Apply the GPO to your client Organization Unit (OU).

UI to read the password from AD

For the admins with the permission to read the passwords in AD, you can deploy a User Interface or inform them, how they can see it in the User and Computers Console (Computer Object – Attribute Editor – ms-Mcs-AdmPwd).


For installing the LAPS User Interface, choose the “Fat client UI”.


In the tool you have also the possibility, to set a new password. Click “Set” and it will be changed immediately.


Good Luck!



    • Chris Greuter

      yes I know some customers using it, where I configured it 🙂 – and it’s working really great. The tool is not new, it’s only new for free / open (before it was only available for microsoft consulting services)… so I think it’s used in several companies.

  1. Ajit Pariyar

    I changed local admin account manually on the computer successfully, but it doesn’t sync with the domain controller LAPS password. Any idea why it is not syncing? Shouldn’t it also show the changed password on LAPS UI. The password I changed logs me in successfully, not the one on the domain controller.

    • Name

      Replying to an old comment but for the benefit of others – the tool can only sync passwords to AD when it sets them. It does not check for manually changed passwords and even if it did, it would not be able to decrypt a manually set password.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s