LAPS Local Account Management

LAPS LOCAL ACCOUNT MANAGEMENT

[ Batch Script for Managing Local Administrator Accounts ]

Overview

The LAPS-SetLocalAccounts.bat script automates the management of local administrator accounts on Windows workstations integrated with Microsoft LAPS (Local Administrator Password Solution). It provides an efficient, idempotent way to create and manage local admin accounts with automatic LAPS integration.

NOTE: The script intelligently checks if the admin user already exists and is a member of the local administrators group. If both conditions are met, the script exits quietly without making any changes, making it ideal for recurring execution via scheduled tasks or GPO.

Key Features

Generates 20-character random passwords with strong character set

Smart conditional execution - only runs if user doesn't exist or isn't in administrators group

Automatically adds accounts to the local Administrators group

Removes specified legacy local accounts

Automatic LAPS policy processing after account creation

Simple configuration via variables - one change updates entire script

Quiet exit when no action needed - perfect for scheduled tasks

Configuration Variables

The script uses simple variables defined at the top of the file. Modify these values to customize for each client:

Variable

Line

Required

Description

AdminUser

Line 10

Yes

Name of the local administrator account to create or verify (default: "masteradmin")

UsersToRemove

Line 11

Comma-separated list of existing local accounts to remove (e.g., "amy, user, claems, defaultuser0")

Example Configuration

set "AdminUser=clientadmin"
set "UsersToRemove=oldadmin, testuser, legacyuser"

Simply edit these two lines at the top of the script to customize for different clients. All script logic automatically uses these values.

Usage Examples

Basic Usage - Run Script

LAPS-SetLocalAccounts.bat

Simply run the batch file. The script will check if the configured admin user exists and is in the administrators group. If yes, it exits quietly. If no, it creates the user with a random 20-character password, adds to administrators, removes legacy users, and triggers LAPS processing.

Run via Command Line

cmd.exe /c "C:\Scripts\LAPS-SetLocalAccounts.bat"

Execute from another script or scheduled task. Perfect for GPO startup scripts or configuration management systems.

Run with Admin Privileges

powershell -Command "Start-Process cmd.exe -ArgumentList '/c LAPS-SetLocalAccounts.bat' -Verb RunAs"

Launch the script with elevated privileges if needed. The script requires administrative rights to create users and manage local groups.

How It Works

Step 1: Pre-Check - Does User Exist? Script first checks if the configured admin user (from AdminUser variable) exists on the local system.

Step 2: Pre-Check - Is User in Administrators Group? If user exists, script checks if they are already a member of the local Administrators group. If YES to both checks, script exits quietly with no changes.

Step 3: Generate Random Password If user doesn't exist or isn't in administrators group, generates a 20-character random password using uppercase, lowercase, numbers, and special characters.

Step 4: Create User or Add to Group Creates new user account if it doesn't exist, or adds existing user to local Administrators group if they weren't already a member.

Step 5: Remove Legacy Accounts Processes the UsersToRemove list, removing each specified account from Administrators group and deleting them permanently.

Step 6: Create Marker File Creates C:\temp\laps.txt as a completion marker for monitoring or logging purposes.

Step 7: LAPS Processing Automatically triggers Invoke-LapsPolicyProcessing via PowerShell to rotate the password and store it in Active Directory.

Recurring Execution

This script is designed to be safe for recurring execution via scheduled tasks, GPO startup scripts, or configuration management tools:

Smart Exit - Exits immediately if admin user exists and is in administrators group

Idempotent - Won't recreate existing accounts or duplicate group memberships

No unintended changes - Only performs actions when necessary

Minimal overhead - Pre-check happens in seconds before any modifications

TIP: After initial deployment, you can clear the UsersToRemove variable (set it to empty quotes) to avoid repeatedly attempting to delete already-removed accounts. The script will continue to verify the admin user on each run.

Security Considerations

Initial password is 20 characters with strong character set (uppercase, lowercase, numbers, special characters)

Initial password is immediately replaced by LAPS-managed password after account creation

LAPS passwords are stored encrypted in Active Directory

Script only creates accounts when necessary - no unnecessary password changes

User removal is permanent and cannot be undone

Script requires administrative privileges to execute

WARNING: Always test in a non-production environment before deploying to production workstations. Verify the UsersToRemove list carefully to avoid accidentally deleting needed accounts.

Requirements

Windows 10/11 or Windows Server 2016+
Command Prompt (cmd.exe) - standard on all Windows systems
Administrator privileges to run the script
Microsoft LAPS installed and configured
PowerShell available for LAPS policy processing (Invoke-LapsPolicyProcessing cmdlet)
Active Directory domain membership for LAPS functionality

Prerequisite Checker

Before deploying LAPS, verify that individual workstations meet all requirements:

LAPS-Pre-Req-check.ps1

A diagnostic PowerShell script that runs on individual workstations to verify LAPS readiness and troubleshoot configuration issues.

Detects Windows 10/11 version and build number compatibility

Verifies built-in LAPS capability installation

Checks LAPS PowerShell module availability

Validates Client-Side Extension (CSE) registration

Confirms GPO application (modern and legacy)

Tests domain membership and AD schema

Reviews event logs for errors

Pauses between checks for small screens

NOTE: This script is run ON the workstation you want to check, not from the DC. It requires local administrator privileges.

Usage

Run on Workstation

.\LAPS-Pre-Req-check.ps1

Run with administrator privileges. The script will check 10 prerequisites and pause after every 3-4 checks so you can review results on a small screen. Press any key to continue at each pause.

Output

The script provides:

Color-coded PASS/FAIL status for each check
Specific suggestions for fixing failures
System information (OS, build, version)
Summary with total passed/failed count
Pauses for review on small screens

When to Use

Before deploying LAPS to new workstations
Troubleshooting failed LAPS deployments
Verifying Windows updates are sufficient
Confirming GPO application
Checking LAPS capability installation

Deployment Verification

After deploying LAPS across your environment, use the verification script to audit deployment success:

LAPS-VerifyPCs.ps1

A centralized PowerShell script that scans Active Directory and generates a comprehensive report of LAPS deployment status.

Scans entire domain or specific OUs

Shows which computers have LAPS passwords configured

Displays password expiration dates

Reports operating system and last logon information

Exports timestamped CSV reports

Shows deployment percentage complete

NOTE: This script is run from the Domain Controller or any domain-joined machine with AD read permissions, not from individual endpoints. It queries Active Directory to check LAPS status across all computers.

Usage

Default - Scan Entire Domain

.\LAPS-VerifyPCs.ps1

Scans all enabled computers in the domain and generates a report showing LAPS deployment status.

Scan Specific OUs

Edit line 20 in the script to target specific organizational units:

$SearchBases = @("OU=Workstations,DC=domain,DC=com")

Can specify multiple OUs by adding them to the array.

Output

The script provides:

Color-coded console output showing deployment progress
List of computers missing LAPS passwords
Summary statistics with percentage complete
Timestamped CSV file with full details (computer name, password expiration, OS, last logon, OU)

Troubleshooting

Script exits immediately without creating user

Solution: This is expected behavior if the admin user already exists and is in the administrators group. Check the user exists with: net user AdminUserName and verify group membership with: net localgroup administrators

User creation fails

Solution: Verify script is running with Administrator privileges (right-click > Run as Administrator). Check that the username doesn't conflict with system accounts. Windows usernames must be 20 characters or fewer.

Cannot add to Administrators group

Solution: Check that the user account was created successfully and that the Administrators group exists on the system. Some systems may have renamed the group.

Invoke-LapsPolicyProcessing fails

Solution: Ensure LAPS is installed, the computer is joined to domain, and LAPS GPO is applied to the workstation. Run gpupdate /force first to ensure latest policies are applied.

UsersToRemove not working

Solution: Verify usernames are spelled correctly and separated by commas with spaces after commas. Check that users aren't system-protected accounts (Administrator, Guest, etc.).

C:\temp\laps.txt not created

Solution: Ensure the C:\temp directory exists. Create it manually if needed: mkdir C:\temp

Download & Documentation

Download scripts and view comprehensive documentation:

LAPS-SetLocalAccounts.bat - Main batch script for local admin account creation
LAPS-VerifyPCs.ps1 - PowerShell verification script (run from DC)
LAPS-Pre-Req-check.ps1 - PowerShell prerequisite checker (run on workstations)
Windows LAPS Configuration Guide - Complete setup and deployment guide
LAPS-QuickGuide.html - Quick reference guide for LAPS
README.md - Project documentation

← Back to Tools Index