Home Tools Securing Local Administrator Accounts with Windows LAPS: A Get Started Guide for Windows Server Environments

Securing Local Administrator Accounts with Windows LAPS: A Get Started Guide for Windows Server Environments

Tools · 28. December 2024

Managing local administrator accounts securely is a critical aspect of maintaining a robust and secure IT environment. With the introduction of the Windows Local Administrator Password Solution (LAPS) in newer versions of Windows, Microsoft has provided a modernized tool to centralize and automate the management of local administrator passwords for Windows Clients and Server Operating Systems.

In this article, we will explore how to implement and use Windows LAPS as an addition to our HomeLab to secure your local administrator accounts, leveraging the latest features and best practices.

What is Windows LAPS?

Windows LAPS is an evolution of the traditional Local Administrator Password Solution, now integrated directly into Windows Server and client operating systems. This solution allows you to manage local administrator accounts by storing their passwords in Active Directory (AD), ensuring they are secure, unique, and regularly rotated.

Requirements

Windows versions that support Windows LAPS:

  • Windows 11 22H2 and later
  • Windows 10 with the April 2023 update
  • Windows Server 2025
  • Windows Server 2022 with the April 2023 update
  • Windows Server 2019 with the April 2023 update

Domain functional level requirements:

Your Active Directory domain needs to be 2016 Domain Functional Level (DFL), before you can enable Windows LAPS password encryption. There is a limitation with any Windows Server Domain Controller. Those don’t support Windows LAPS and therefore can’t use the DSRM account management feature.

More details are available here.

Setting Up Windows LAPS

Extend the Active Directory Schema

Ensure you have the necessary permissions to perform this action. Open an elevated PowerShell console and run the following command to update the schema:

Update-LapsADSchema
Active Directory Schema Extension LAPS
Active Directory Schema Extension LAPS

Configure Group Policy

To enable LAPS, you need to create and apply a Group Policy Object (GPO).

  • Open the Group Policy Management console and create a new GPO or edit an existing one.
  • Navigate to Computer Configuration > Policies > Administrative Templates > System >LAPS. More details here.
  • Enable the Password Settings policy and configure the settings as needed, such as password length, complexity, and rotation period.

For security guidance please discuss that with your IT Security team and enable a mimum requirement for your personal “well being”. In my lab I keep things simple and only want to manage the local administrator password for demonstration and testing purposes.

Enable LAPS minimum security
Enable LAPS minimum security

Apply the GPO:

  • Link the GPO to the appropriate Organizational Units (OUs) that contain the servers or clients you want to manage with LAPS.
LAPS GPO Links in AD
LAPS GPO Links in AD

Grant Permissions

After linking the GPOs you need to enable the LAPS for managing these OUs, with the following command

Set-LapsADComputerSelfPermission -Identity "OU=Servers,OU=Germany,OU=Europe,DC=ad,DC=hartiga,DC=de"
image
Enable Self Password Set Permission

Important:

  • If inheritance is enabled, running the command on a parent OU (e.g., OU=Servers,OU=Germany,OU=Europe,DC=ad,DC=hartiga,DC=de) will propagate the permissions to all nested OUs automatically.
  • If inheritance is disabled on any child OU, you will need to run the command separately for those specific OUs.

If you prefer to set the inheritable permissions on the root of the domain, this is possible by specifying the entire domain root using DN syntax. For example, specify ‘DC=hartiga,DC=de’ for the -Identity parameter.

Best Practice:

To ensure proper permission application:

  1. Verify that inheritance is enabled for all child OUs using tools like Active Directory Users and Computers (ADUC) or PowerShell.
  2. If inheritance is disabled on some OUs, manually run the Set-LapsADComputerSelfPermission command for each affected OU.

Verifying LAPS Configuration

Wait until a Group Policy Update occured on your servers enabled for Windows LAPS or run

gpupdate /force

You can now verify and check for the LAPS password.

Get-LapsADPassword -Identity "file-2025" -AsPlainText
Windows LAPS Password for Server "file-2025"
Windows LAPS Password for Server “file-2025”

Conclusion

Windows LAPS is a powerful tool for securing local administrator accounts by centralizing password management and automating password rotation. By following the steps outlined above and ensuring proper configuration and permissions, you can significantly enhance the security of your IT environment.

In today’s security-conscious world, tools like Windows LAPS are essential for maintaining compliance and protecting against unauthorized access. By integrating LAPS into your security strategy, you can ensure that your local administrator accounts are well-protected and managed efficiently, reducing the risk of security breaches and improving overall network security.

IMPORTANT: This is a very basic article on Windows LAPS. If you want to enable it, please make sure that you involve all groups in your organization i.e. IT-Security, Server Teams, Helpdesk Teams and create a Role Base Access Control Design and carefully implement the settings across the OUs with Clients and Servers. If done incorrectly or with a lack of communication you might cause business impacts or security incidents. Use Test Systems.

Spread the knowledge
Avatar for Andreas Hartig
Andreas Hartig
Andreas Hartig - MVP - Cloud and Datacenter Management, Microsoft Azure

Related Posts

A dragon IT Architect in the shadowrun world using an Excel document and the Azure Quick Review Tool
Tools

Azure Quick Review 2.04 – High Level Assessments

· 11. January 2025

With Azure Quick Review (azqr) you can quickly make a High Level Assessment of an “Azure Subscription” or “Resource Group”. Installation of Azure Quick Review You can download the files…

Spread the knowledge
Read more
A dragon IT Architect in the shadowrun world using his notebook and keepassxc to safe the world from a virus attack
Tools

Securing Client Passwords with KeePassXC: A Consultant’s Guide to Autotyping and More

· 21. December 2024

As consultants, managing multiple clients and their respective passwords can be a daunting task, especially when security is paramount. In this article, we will explore how KeePassXC, a powerful and…

Spread the knowledge
Read more
Windows Server 2025 Monitoring TCP/IP on http://hartiga.de
Tools

Windows Server 2025 – Monitoring TCP/IP

· 28. September 2024

Monitoring open TCP/IP ports is crucial for maintaining the security and functionality of your Windows system. This article will guide you through using three powerful tools, netstat, powershell Get-NetTCPConnection and…

Spread the knowledge
Read more
Windows Admin using Winget
Tools

Easily manage Applications with WinGet v1.x

· 21. September 2024

Microsoft has released WinGet, a package manager that is very well suited for installing and updating third-party applications. We are now installing applications with “WinGet” and learn how to manage…

Spread the knowledge
Read more
SFTP with Powershell Logo
Tools

Use SFTP with Powershell

· 8. September 2024

If you want to use SFTP with Powershell to transfer files, you can do this with the Posh-SSH module. Installation of SFTP with Powershell To retrieve or copy data via…

Spread the knowledge
Read more
hyper-v manager and a Linux Terminal
Tools

Squid on Hyper-V – new Ubuntu 24.04

· 24. August 2024

A Linux VM with Proxy, such as Squid, can be used to reduce bandwidth as it caches frequently requested websites. Today we want to configure a Linux VM with Proxy and deploy…

Spread the knowledge
Read more