How to Deploy Microsoft LAPS – Complete Guide

Microsoft LAPS can be used to manage local administrator passwords on your domain-joined devices. LAPS (Local Administrator Password Solution), creates a unique and random password for each device client in your network and stored the password in the Active Directory.

The advantage of Microsoft LAPS is that only users with the correct permissions can access the passwords and the local administrator account. And more importantly, attackers won’t be able to access and infect other computers when one account is compromised.

In this article, we are going to deploy and configure Microsoft LAPS. Keep in mind that this is the legacy version of Microsoft LAPS. The new version, Windows LAPS, will be available in public preview around Q2 2023.


Windows LAPS has now been released to public preview. I recommend to rollout Windows LAPS instead of the old Microsoft LAPS solution. You can find the complete guide here.

What is Microsoft LAPS?

Administrators often use the same password for each device when deploying Windows on a new machine. This local administrator account can be used as an alternative way to log in when troubleshooting problems on the machine. But having the same password on each device is a huge security risk, this is where LAPS (Local Administrator Password Solution) from Microsoft comes in.

When attackers gain access to one local admin account, they can use the same credentials to access all other devices in the network. So using a unique password for each device is recommended. But we need a way to manage those passwords. With LAPS, the password for each device is randomly generated and stored in the Active Directory. Only users with the appropriate permission can read the password from the Active Directory and use the local administrator account.

To look up the LAPS password we can use either PowerShell, the LAPS Client UI, or find it in the Active Directory.


There are a couple of requirements when it comes to installing and using Microsoft LAPS:

  • It only works on Domain Joined devices
  • Protects only one local admin account (recommend disabling any other accounts)
  • We need to extend the Active Directory scheme
  • Configuration is done with a Group Policy
  • LAPS Client needs to be installed on all client devices

Installing LAPS

Installing LAPS is done in 3 parts. We are first going to configure the Active Directory and policies on the Domain Controller. Next, we will install the management tools on our own machine and the last step is to roll out the LAPS client to all the client devices.

Step 1 – Configuring the Domain Controller

We are first going to perform all the necessary steps on the domain controller. This means that we will extend the Active Directory schema, create a security group with users that are allowed to read the LAPS passwords, set up the correct permissions, and configure the Group Policy.

The first step is to download the Local Administrator Password Solution. Select and download the LAPS.x64.msi file and open the setup once it’s downloaded. On the domain controller, we only need to install the following components:

  • PowerShell module
  • GPO Editor templates
install laps
Install LAPS

Extend the Active Directory Schema

We will need to extend the Active Directory Schema to add the new attribute fields for the LAPS password. Now to extend the AD Schema, you will need to be a member of the Security Group Schema Admins which you can find in the Active Directory. If you are not a member of the schema admins, then you will get an error user has insufficient access rights.

  1. Open PowerShell on the Domain Controller
  2. Type the following commands to extend the AD Schema:
Microsoft LAPS
Extend AD Scheme for Microsoft LAPS

Set permissions in the Active Directory

With the PowerShell window still open (otherwise, Import the again), we are going to set the permissions that are required for LAPS. We will need to give the SELF built-in account on the computer’s write access so it can update the password in the Active Directory. And we will need to give the administrators read (and maybe write) permissions to read the stored LAPS password.

For the computer, we are going to target them using the OU. The setting will apply to all nested OUs as well. You can repeat the steps below for any OU with computers that you have. In PowerShell type the following command to set the permissions on the Computers OU:


To target the OU you can use the OU name (if it’s unique) or the distinguished name.
Set-AdmPwdComputerSelfPermission -OrgUnit Computers

If the OU name isn’t unique, then all matching OUs are displayed and an error will be thrown that more than one object is found. Using the DistinguishedName to target the correct OU:

Set Permissions with PowerShell
OU Name not unique
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,OU=Amsterdam,OU=Sites,DC=lazyadmin,DC=nl"

The next step is to create a new security group that contains the users that are allowed to read the LAPS password. I like to create two groups, one with read/write permissions (these users can force a password reset of the LAPS password) and one group with only read access. You can create the groups in the Active Directory or use PowerShell:

# AD Security Group for LAPS read/write access
New-ADGroup -name 'LAPS Admins' -GroupCategory Security -GroupScope Global

# AD Security Group for LAPS readonly  access
New-ADGroup -name 'LAPS ReadOnly' -GroupCategory Security -GroupScope Global

We can now give the new security groups the appropriate permissions. First, we will give both groups read permission to the LAPS password (the ms-Mcs-AdmPwd attribute):

Set-AdmPwdReadPasswordPermission -OrgUnit Computers -AllowedPrincipals 'LAPS Admins','LAPS ReadOnly'

Administrators should also be able to reset the password, so we will give the LAPS Admins group also reset permission:

Set-AdmPwdResetPasswordPermission -OrgUnit Computers -AllowedPrincipals 'LAPS Admins'
Extend AD Scheme voor LAPS
Set permissions

Setting up the LAPS GPO

With the permission all sorted we gain configure the LAPS GPO (Group Policy Object). First, we will need to copy the LAPS Admx file to the Active Directory Central Store.

  1. On the domain controller, navigate to C:\Windows\PolicyDefinitions
  2. Copy the AdmPwd.admx to \\contoso.local\SysVol\contoso.local\Policies\PolicyDefinitions

Do the same for the Adml file which you can find in the language folder:

  1. On the domain controller, navigate to C:\Windows\PolicyDefinitions\en-US
  2. Copy the AdmPwd.adml to \\contoso.local\SysVol\contoso.local\Policies\PolicyDefinitions\en-US

We can now create a new GPO for LAPS:

  1. Open the Group Policy Management Console
  2. Create a new Group Policy in your Computers OU
  3. Right-Click the new Policy and select Edit
  4. Navigate to : Computer Configuration > Polices > Administrative Templates > LAPS
Local Administrator Password Solution GPO
  1. Open the Password Settings
  2. Enable the setting
  3. Configure the password complexity (the default settings are in most cases fine)
  4. Click Ok when done
Configure Password Settings
LAPS Password Settings
  1. Next, open the setting Name of the administrator account to manage
  2. Enable the setting
  3. Under Administrator account name enter LAPSAdmin


LAPS can only protect one local admin account. Using a distinct local admin account name allows us to easily verify if the computer is protected with LAPS. Plus the built-in Administrator account is often disabled by default.
Configure LAPS GPO
Configure LAPS GPOI
  1. Open the setting Enable local admin password management
  2. Click Enable and close the window

Optional GPO Settings

The following settings are optional. If already have a local admin account, name lazyadmin, for example. Then you probably want to disable this account when deploying LAPS. We can do this in the same policy that we just created:

  1. Edit the CPO_LAPS policy
  2. Navigate to: Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
  3. Right-Click in the white area and choose New > Local User
  4. Set Action to Update
  5. Enter the name of the current local admin account
  6. Uncheck User must change password at next logon
  7. Check Account is disabled
  8. Click OK
disable local admin account
Disabled local admin account

We have now successfully configured the Active Directory and Group Policy for Microsoft LAPS. Make sure that you apply the newly created policy to all OUs that contain computers where you want to use LAPS on.

Step 2 – Install the LAPS Client on the Computers

We will need to install the LAPS Client component on all Windows computers. Now the best way to install software on multiple clients is to use a deployment tool like PDQ Deploy or Action1.

In PDQ Deploy you can create a new package and use the LAPS.x64.msi file that we downloaded earlier. Make sure that you add the parameter CUSTOMADMINNAME=LAPSAdmin in your package. It’s also a good idea to add a PowerShell or Command step with the gpupdate command.


The CUSTOMADMINNAME parameter will create a local admin account on the computer with the username LAPSAdmin.

If you don’t have a deployment tool that you can use, then could also use a group policy to deploy the client. The only problem is that you can’t easily add the required parameter CUSTOMADMINNAME to the MSI file. You would need to modify the MSI file using a tool called ORCA, but that is out of the scope of this article.

Deployment through GPO is also possible when you can re-use the existing local admin account:

First, copy the LAPS.x64.msi file to your Netlogon folder (\\contoso.local\netlogon)

  1. Open the Group Policy Management console
  2. Create a new GPO in your Computers OU (same location as the LAPS GPO) and name it CPO_LAPS_Install
  3. Edit the new policy
  4. Navigate to: Computer Configuration > Policies > Software Settings > Software Installation
  5. Right-Click on the white space and select New > Package…
  6. Navigate to your Netlogon folder and select the LAPS.x64.msi file
  7. Select Assigned
Deploy LAPS Client with GPO
Deploy Local Administrator Password Solution using GPO

Another option is to install the MSI manually or use a PowerShell script:

if (-not(Get-Package -name "local administrator password solution" -ErrorAction Ignore)) {
    Start-Process msiexec.exe -Wait -ArgumentList "/i '\\contoso.local\netlogon\LAPS.x64.msi /qn /norestart /l*v 'c:\temp\laps-install.log' CUSTOMADMINNAME=LAPSAdmin"

You can easily verify if the LAPS client is successfully installed by checking if the LAPS Admin account is created on the client:

  • Press Windows Key + R
  • Type lusrmgr.msc to view the local users accounts
  • LAPSAdmin should be listed

Step 3 – Installed the LAPS Management UI

To look up the LAPS Password of a client we will need to use either the LAPS Client UI or the PowerShell module. You can install the management parts on as many machines as you like. Only to view or reset the password, the user will need to be a member of one of the security groups that we created earlier (LAPS Admin or LAPS ReadOnly).

Download the Local Administrator Password Solution again from Microsoft. Select and download the LAPS.x64.msi file and open the setup once it’s downloaded. We are going to install the Fat client UI and the PowerShell module:

Install local administrator password solution
Install LAPS Management tools

Retrieving Microsoft LAPS Password

After the installation is completed you will find the Microsoft LAPS client in the start menu. If you open LAPS UI you can enter the computer name and click on Search to lookup the LAPS password:

Microsoft LAPS UI Client
LAPS UI Client

If you have reset permissions then you can also reset the password by clicking on Set. This will reset the password immediately. Another option is the set the expiration date of the LAPS Password.

Get LAPS Password with PowerShell

We can also use PowerShell to find and reset the LAPS Password. Make sure that you have installed the PowerShell module from the Local Administrator Password Solution setup. We can use the cmdlet Get-AdmPwdPassword to get the password from the specific computer:

Get-AdmPwdPassword -ComputerName LA-WIN11-LAB03

# Or to return only the password:
Get-AdmPwdPassword -ComputerName LA-WIN11-LAB03 | Select Password

# Result

As you can see in the screenshot below, the cmdlet doesn’t only return the password, but also the computer name, distinguished name, and expiration timestamp. With a simple select we can make sure that only the password is returned.

LAPS PowerShell
Get LAPS Password in PowerShell

We can also copy the password automatically to our clipboard by piping the Set-Clipboard cmdlet behind it. For that we will need to expand the password property first, so that only the value is copied, instead of the complete object:

Get-AdmPwdPassword -ComputerName LA-WIN11-LAB03 | Select -ExpandProperty Password | Set-Clipboard

Using the Active Directory

We can also look up the Microsoft LAPS password in the Active Directory. The password is stored in the ms-MCS-AdmPwd attribute. So to retrieve it we will need to open the Attribute editor of the computer object:

  1. Open the Active Directory Users and Computers
  2. Navigate to the computers OU
  3. Double-click on the computer object
  4. Open the Attribute Editor tab
  5. Scroll down to the ms-MCS-Adm-Pwd attribute to view the password
view microsoft laps password in Active Directory
AD Attribute Editor

Wrapping Up

Microsoft LAPS is a great solution to manage your local administration password. Keep in mind that a new version of LAPS, named Windows LAPS, will be released in the second half of 2023. This version can also store the password in Azure Active Directory, among with other benefits.

I hope this article helped you with configuring the local administrator password solution. If you have any questions, just drop a comment below.

5 thoughts on “How to Deploy Microsoft LAPS – Complete Guide”

    • Open a new MMC (management console) (Start > Run > type MMC )
      Click on File > Add/Remove add-in
      Add the Active Directory Schema
      Expand classes
      Select Computer > Properties
      There you can check it in the attribute tab.

  1. Hi Rudy,
    thanks for the blog. LAPS should no be integrated in the the last windows update of April, so step 2 should’t be needed anymore, right?

  2. Hi Rudy,

    Thank you for the detailed info.
    It has really helped me.
    I used the build-in local administrator account instead of the “CUSTOMADMINNAME=LAPSAdmin” on the GPO and it has worked fine.

Leave a Comment