How to Setup & Configure LAPS on Active Directory Domain.
This article contains step-by-step instructions on how to install and configure Microsoft LAPS on your Active Directory Domain environment.
Microsoft's Local Administrator Password Solution (LAPS) is a security feature that provides a way to manage the local administrator passwords of domain-joined computers in a secure, automated manner. It specifically addresses a security gap in corporate environments where the local administrator password is the same on multiple computers, making it easier for attackers to gain access to all computers on the network if they compromise one computer.
How LAPS works?
On each domain-joined computer (Client-side), a new GPO Extension is installed that is responsible for generating a unique local administrator password, and updating Active Directory with the new password.
On the Active Directory, the directory schema is extended to store the local administrator's password from each domain-joined computer, makes it easier for IT Admins to simplify the password management.
How to Install & Configure Microsoft's Local Administrator Password Solution (LAPS).
Step 1. Create a new OU with all computers you want to use LAPS. (Optional Step).*
* Note: For LAPS to work, you must have an Organization Unit (OU) with all the workstations (clients) that you want to manage their local administrator password using LAPS. So if you don't have an OU for this task, go ahead and create a new OU, then add to it all the workstations you want to use LAPS. To do that:
1. Open Active Directory Users and Computers.
2. Right-click on your Domain and choose New > Organization Unit.
3. Give the new OU a name (e.g. "Workstations") and click OK.
4. Now open Computers object, select all the computers (workstations) that you want to use LAPS and click Move.
5. Finally, select from the list the new OU you created before and click OK.
6. At the end you should have all the workstations you want to manage with LAPS on the new OU.
Step 2. Install Microsoft LAPS on Management Computer.
The first step to setup the Local Administrator Password Solution (LAPS), is to install LAPS on the management computer.*
* Note: The management computer can be either the domain controller or any other computer joined to the domain. (In this article we install LAPS on a Server 2016 Domain Controller)
1. Download LAPS software (LAPS.x64.msi) from the below link:
2. Double-click at LAPS.x64.msi to start the installation and choose Next at first screen. Then accept the License Agreement and click Next again.
3. At the next screen click on the arrow at the left of Management Tools and select Entire Feature will be installed on local hard drive. Then click Next and then Install to install LAPS on the management computer.
Step 3. Install Microsoft LAPS on Clients (Workstations).
Then go ahead and install the LAPS AdmPwd GPO extension component on all workstations joined to the Domain. To do that:
1. Download LAPS software (LAPS.x64.msi) from the below link:
2. Double-click at LAPS.x64.msi to start the installation and choose Next at first screen. Then accept the License Agreement and click Next again.
3. At the next screen ensure that only the AdmPwd GPO extension component is selected and click Next and then Install.
Step 4. Modify Active Directory Schema.
Now, on your Domain Controller proceed and modify the Directory Schema by adding the following two new attributes in "Computers" objects in Active Directory:
- ms-Mcs-AdmPwd : This attribute will show the computer’s administrator password in clear text when LAPS setup is completed.
- ms-Mcs-AdmPwdExpirationTime : This attribute will show the password expiration date/time.
1. To add the above attributes, open PowerShell on your Domain Controller and give the following two commands:
- Import-module AdmPwd.PS
- Update-AdmPwdADSchema
2. Without closing the PowerShell window, proceed to next step. *
* Note: If you close the PowerShell window and open a new one, you may need to run "Import-module AdmPwd.PS" again.
Step 5. Set Workstations Permissions for LAPS.
The next step in the LAPS setup, is to give the workstations (clients) the required permissions to update the password and timestamp of their own managed local administrator password to the LAPS Management computer. To do this, issue the following command in PowerShell to grant permissions to the OU you want to use LAPS (e.g. the "Workstations" OU in this example).*
- Set-AdmPwdComputerSelfPermission -OrgUnit "Workstations"
* Note: In the above example, replace "Workstations" with the OU name you want to use LAPS.
Step 6. Create a Group Policy for LAPS.
The last step in LAPS setup, is to create a new Group Policy for LAPS settings.
1. Open Server Manager and from the Tools menu and then open the Group Policy Management.
2. In Group Policy Management console, expand Domains and under your domain, right-click on the OU that contains the computers for LAPS and select Create a GPO in this domain, and Link it here…
3. Give a recognizable name for the new policy (e.g. "LAPS") and click OK.
4. Now right-click > Edit the new GPO.
5. Go to Computer Configuration > Policies > Administrative Templates > LAPS
6a. Open the Enable local admin password management policy.
6b. Chose Enabled and click OK.
7a. Now open the Password Settings policy
7b. Select Enabled and below set the password complexity, length and age. (expiration time). When done click OK.
8. At this point you are done with the basic configuration of LAPS, if you want to use the standard local built-in admin account "Administrator" with LAPS.*
* Note: In case, you have setup a custom local admin account on workstations (e.g. named "LocalAdmin") and you want to use that account instead of "Administrator" with LAPS, then enable the Name of administrator account to manage policy and type the name of your custom local admin account.
How to View the Local Administrator's passwords using LAPS.
After setting up LAPS using the steps above, you should be able to see the local Administrator password on any workstation where LAPS is installed in one of the following ways:
Method 1. View Local Administrator Password using LAPS UI.
1. Open the LAPS UI application on the management computer and search for the name of the machine you want to view the local Administrator password on and its expiration date.
Method 2. View Local Administrator's Password using Computer's Attributes.
1. In Active Directory Users and Computers, go to the OU where you have enabled LAPS. 2. Right-click on the computer object you want to see the password and select Properties.
3. Select the Attribute Editor tab, and scroll down to find the "ms-Mcs-AdmPwd" & "ms-Mcs-AdmPwdExpirationTime" values.
* Info: The ms-Mcs-AdmPwd attribute shows the password in plain text. The ms-Mcs-AdmPwdExpirationTime attribute shows the Expiration date as the number of 100-nanosecond intervals that have elapsed since the 0 hour on January 1, 1601 untill the date/time that is being stored. The time is always stored in Greenwich Mean Time (GMT) in the Active Directory. If you want to manually convert it, use this command:
- w32tm /ntte <number you want to convert>
Method 3. View Administrator Password using PowerShell.
The final way to view the Local Administrator's password, is by giving the below command in PowerShell.*
-
Get-AdmPwdPassword ComputerName
* Note: In the above command replace ComputerName with the name of the pc that you want to view the Local Administrator's Password. (e.g. to view the admin password on "HP-PC", issue this command:
-
Get-AdmPwdPassword HP-PC
That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.
Frequently Asked Questions
- FIX: Device encryption is temporarily suspended and does not resume after the computer restarts (Windows 11). - May 5, 2026
- How to Install Chrome or any 'Line of Business' app on Intune Enrolled Windows Devices. - April 29, 2026
- How to Create a DDM Update Policy for iOS Devices in Intune. - April 23, 2026
