Windows LAPS Configuration Guide

Complete Setup and Deployment Guide

Version 2.0 | Last Modified: January 22nd, 2026 | Author: Doug Hesseltine | Copyright Technologist.services 2025

Overview

Windows LAPS (Local Administrator Password Solution) is a native Windows feature (available since April 2023 updates) that automatically manages and rotates local administrator passwords, storing them securely in Active Directory or Azure AD.

Prerequisites

Required Updates

Windows 11 22H2: April 11, 2023 Update
Windows 11 21H2: April 11, 2023 Update
Windows 10: April 11, 2023 Update

Verify LAPS Installation

# Check if LAPS module exists
Import-Module LAPS

# List available LAPS commands
Get-Command -Module LAPS
            

Initial Setup Steps

1. Update Active Directory Schema

Update-LapsADSchema

2. Configure Computer Self-Permissions

Grant computers the ability to update their own LAPS password in AD:

Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=domain,DC=com"
Set-LapsADComputerSelfPermission -Identity "OU=Servers,DC=domain,DC=com"
            

Replace with your actual OU distinguished names.

3. Create Security Group for Password Readers

# Create group in AD (if not exists)
New-ADGroup -Name "LAPS_Password_Readers" -GroupScope DomainLocal -GroupCategory Security

# Get the group SID (needed for GPO configuration)
Get-ADGroup "LAPS_Password_Readers"
            

4. Grant Password Read Permissions

Set-LapsADReadPasswordPermission -Identity "OU=Workstations,DC=domain,DC=com" -AllowedPrincipals "LAPS_Password_Readers"
Set-LapsADReadPasswordPermission -Identity "OU=Servers,DC=domain,DC=com" -AllowedPrincipals "LAPS_Password_Readers"
            

Group Policy Configuration

Create LAPS GPO

Open Group Policy Management Console (gpmc.msc)
Create new GPO: "LAPS Configuration"
Navigate to: Computer Configuration > Policies > Administrative Templates > System > LAPS

Required Policy Settings

IMPORTANT: ALL LAPS GPO settings must be configured with values. Leaving any setting at "Not Configured" can prevent LAPS from functioning properly. Each setting below must be explicitly set.

Setting	Configuration
Enable password backup	Enabled
Configure password backup directory	Active Directory (default)
Name of administrator account to manage	Specify account name (e.g., "Administrator")
Password complexity	Large letters + small letters + numbers + special characters
Password length	20 characters (recommended)
Password age (days)	30 days (recommended)

Optional Settings

Backup DSRM password on domain controllers: Enable if managing DC DSRM passwords
Configure authorized password decryptors: Add SID of "LAPS_Password_Readers" group if using encrypted passwords

Link GPO

Link the GPO to OUs containing:

Domain Controllers (if managing DSRM)
Workstations
Member Servers

Deploy Local Admin Account Creation Script

Setup

Copy LAPS-SetLocalAccounts.bat to: \\domain.com\NETLOGON\LAPS\
Edit the script to set the desired admin username
Add as GPO Computer Startup Script

GPO Startup Script Configuration

Edit LAPS GPO
Navigate to: Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown)
Click Startup > Add
Script Name: \\domain.com\NETLOGON\LAPS\LAPS-SetLocalAccounts.bat
Click OK

Verification

Check LAPS Policy Applied

# Force policy update on client
gpupdate /force

# Trigger LAPS password rotation
Invoke-LapsPolicyProcessing
            

View Password in Active Directory

Method 1: AD Users and Computers (GUI)

Open dsa.msc
Find computer object
Right-click > Properties
Click LAPS tab
View password and expiration

Method 2: PowerShell

# View password for specific computer
Get-LapsADPassword -Identity "COMPUTERNAME" -AsPlainText

# View with expiration date
Get-LapsADPassword -Identity "COMPUTERNAME" -AsPlainText | 
    Select-Object ComputerName, Password, ExpirationTime
            

View DSRM Password (Domain Controllers)

Get-LapsADPassword -Identity "DC-NAME" -AsPlainText -IncludeHistory

Troubleshooting

Password Not Showing in AD

Solution: On the workstation, run:

gpupdate /force
Invoke-LapsPolicyProcessing
            

Check Event Viewer: Applications and Services Logs > Microsoft > Windows > LAPS > Operational

Access Denied When Reading Password

Solution: Verify user is member of "LAPS_Password_Readers" group and permissions are set:

Set-LapsADReadPasswordPermission -Identity "OU=Computers,DC=domain,DC=com" -AllowedPrincipals "LAPS_Password_Readers"
            

Decrypt Permission Error

Solution: Configure GPO with authorized decryptors SID:

Get group SID: Get-ADGroup "LAPS_Password_Readers"
Add SID to GPO setting: Configure authorized password decryptors

Reference Links

Quick Reference Commands

# Verify LAPS installed
Import-Module LAPS

# Update AD schema
Update-LapsADSchema

# Grant computer self-permission
Set-LapsADComputerSelfPermission -Identity "OU=Computers,DC=domain,DC=com"

# Grant read permissions to group
Set-LapsADReadPasswordPermission -Identity "OU=Computers,DC=domain,DC=com" -AllowedPrincipals "GroupName"

# Get password
Get-LapsADPassword "COMPUTERNAME" -AsPlainText

# Force password rotation
Invoke-LapsPolicyProcessing

# Get group SID for GPO
Get-ADGroup "LAPS_Password_Readers"
            