Chapter 12 – Windows LAPS (Local Administrator Password Solution)

 Windows Server Group Policy (GPO) Master Handbook

Chapter 12 – Windows LAPS (Local Administrator Password Solution)

Learning Objectives

Understand Windows LAPS architecture, deployment through Group Policy, password backup, retrieval, rotation, and troubleshooting.

1. What is Windows LAPS?

Windows LAPS automatically manages the password of the local administrator account on domain-joined or Microsoft Entra joined devices. Each device receives a unique, randomly generated password that is rotated automatically according to policy.

2. Benefits

• Eliminates shared local administrator passwords
• Protects against lateral movement attacks
• Automatic password rotation
• Centralized password backup
• Auditing and access control

3. Group Policy Path

Computer Configuration → Administrative Templates → System → LAPS

4. Prerequisites

Windows LAPS supported version, updated schema (for AD backup), appropriate administrative permissions, Group Policy Management Console, and healthy Active Directory replication.

5. Configure Windows LAPS

Enable password backup, configure password age, password length, complexity, managed account name, and post-authentication actions.

6. Password Backup Options

Back up passwords to Active Directory or Microsoft Entra ID. Limit password read permissions to authorized administrators only.

7. Recommended Enterprise Settings

Password Length: 15–20 characters
Complexity: Large letters, small letters, numbers, special characters
Password Age: 30 days
Backup: Active Directory or Microsoft Entra ID
Post-authentication reset: Enabled

8. PowerShell Commands

Get-LapsADPassword
Get-LapsAADPassword
Update-LapsADSchema
Reset-LapsPassword
Get-Command -Module LAPS

9. Troubleshooting

Verify the LAPS policy is applied using gpresult /h, confirm the schema is updated, check Event Viewer, ensure the managed account exists, verify backup location, and test password retrieval with an authorized account.

10. Security Best Practices

Delegate password read permissions to a limited security group, enable auditing, rotate passwords automatically, avoid shared administrator accounts, and regularly review LAPS configuration.

11. Common Event IDs

Review the Windows LAPS operational log in Event Viewer for password processing, backup, rotation, and policy application events.

12. Interview Questions

What is Windows LAPS? Why is it better than a common local Administrator password? Where are passwords stored? How do you retrieve a password? How do you rotate passwords immediately?

13. Practical Lab

Deploy a Windows LAPS GPO, update the AD schema (if required), configure password backup to Active Directory, force a policy refresh, retrieve the managed password, and verify automatic rotation.

Windows LAPS Policy Reference

Policy

Recommended

Purpose

Enable password backup

Enabled

Store password securely

Password backup directory

Active Directory / Microsoft Entra ID

Central storage

Password age

30 days

Automatic rotation

Password length

15–20

Strong passwords

Password complexity

All character types

Security

Post-authentication actions

Enabled

Rotate after use

Managed account

Administrator or custom

Managed local admin

Microsoft Learn References

Windows LAPS Overview

Deploy Windows LAPS

Windows LAPS PowerShell Module

Windows LAPS Group Policy Settings

Comments

Popular posts from this blog

IIS Installation and Application configuration windows swerver

IIS Self Signed

Here’s a step-by-step guide on configuring WDS on Windows Server