Share via

Microsoft LAPS

Ace Jerraldven C. Enoc 420 Reputation points
2026-04-11T14:38:06.7966667+00:00

Does Active Directory has a built-in LAPS setup? and how does it works? thanks

Windows for business | Windows Server | Directory services | Active Directory
0 comments
Answer accepted by question author
  1. Q&A Assist
    2026-04-11T14:38:23.0333333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Windows doesn’t enable LAPS “by default,” but modern Windows and Active Directory include Windows Local Administrator Password Solution (Windows LAPS) as a built‑in feature that can be turned on and centrally managed.

    Summary of how it works

    1. Purpose
      • Windows LAPS automatically manages the password of a local administrator account on domain‑joined or Microsoft Entra‑joined devices.
      • It regularly rotates the password and securely backs it up to either:
        • Windows Server Active Directory, or
        • Microsoft Entra ID.
      • It helps protect against pass‑the‑hash and lateral‑movement attacks by ensuring each device has a unique, strong local admin password.
    2. Where it lives / prerequisites
      • The LAPS client functionality is built into supported Windows versions (Windows 10/11 and Windows Server with the April 11, 2023 update or later).
      • For storing passwords in Windows Server Active Directory:
        • The AD schema must be prepared/extended for Windows LAPS attributes.
        • Domain functional level (DFL) determines capabilities:
          • DFL earlier than 2016: only clear‑text storage in AD (protected by ACLs), no password encryption, no DSRM account management.
          • DFL 2016 with mixed DCs: supports encrypted storage for domain‑joined clients; DSRM management only for Server 2019+ DCs.
          • DFL 2016 with only Server 2019+ DCs: full support (clear‑text or encrypted storage, plus DSRM account management).
    3. Basic architecture
      • Managed device: runs the LAPS components (laps.dll, lapscsp.dll, lapspsh.dll) and applies policy via Group Policy or the LAPS CSP (MDM/Intune).
      • Directory:
        • Windows Server Active Directory: stores the LAPS password and metadata as attributes on the computer object.
        • Microsoft Entra ID: alternative storage for cloud‑joined/hybrid devices.
      • Admin tools: AD Users and Computers snap‑in (LAPS property page) and PowerShell cmdlets (for retrieval, history, and automation).
    4. How it works end‑to‑end with Active Directory a. Prepare Active Directory
      • Copy the Windows LAPS Group Policy template to the Group Policy Central Store (if used).
      • Extend the AD schema for Windows LAPS attributes (if not already done).
      • Configure AD permissions so only authorized admins/groups can:
        • Read/decrypt stored passwords.
        • Force password expiration/rotation.
      b. Configure device policy
      • Choose how to deploy policy:
        • Group Policy (most common for AD‑joined devices), or
        • Intune using the Windows LAPS CSP for hybrid‑joined devices.
      • At minimum, set:
        • BackupDirectory = 2 to back up passwords to Windows Server Active Directory.
      • Account selection:
        • If AdministratorAccountName is not configured, LAPS manages the built‑in local Administrator account (identified by its well‑known RID, not by name).
        • To manage a custom local admin account, set AdministratorAccountName to that account name and ensure the account exists (for example, via RestrictedGroups CSP). LAPS does not create the account.
      • Optional settings include password length, complexity, rotation interval, encryption principal, and post‑authentication actions.
      c. Password lifecycle on the client
      • The LAPS client on each device periodically evaluates policy (Group Policy or CSP) during background policy refresh.
      • When the password is due to expire (or is manually expired by an admin), LAPS:
        • Generates a new random password according to policy.
        • Sets the local administrator account password on the device.
        • Writes the password and metadata (expiration time, history if enabled) to the computer object in AD.
        • If encryption is enabled and supported by the domain, encrypts the password so only authorized principals (for example, Domain Admins or a specified group via ADPasswordEncryptionPrincipal) can decrypt it.
      d. Retrieval and management by admins
      • AD Users and Computers (LAPS property page) for a computer object allows authorized admins to:
        • View current password expiration time.
        • Modify or immediately expire the password expiration time.
        • View/copy the current account name and password (if they have read/decrypt permissions).
        • Note: this UI only shows the most recent password; older passwords (if history is enabled) require the Get-LapsADPassword PowerShell cmdlet.
    5. Intune and Azure Arc integration (optional)
      • Intune can manage LAPS settings via endpoint security policies (Account protection) using the LAPS CSP, including:
        • Password requirements.
        • Rotation schedule.
        • Backup to AD or Microsoft Entra.
      • LAPS for Azure Arc (preview) extends centralized configuration/compliance for servers and clients connected via Azure Arc.

    In short, Active Directory does not “auto‑configure” LAPS, but once AD is prepared and policy is configured, Windows LAPS becomes a built‑in, directory‑integrated solution that automatically rotates and stores local admin passwords on each domain‑joined device.

    References:

    1 person found this answer helpful.
Answer accepted by question author
  1. Jason Nguyen Tran 16,045 Reputation points Independent Advisor
    2026-04-11T15:36:59.2033333+00:00

    Hi Ace Jerraldven C. Enoc,To answer directly: yes, Active Directory now has a built‑in Local Administrator Password Solution (LAPS) capability, but it depends on the version of Windows Server and the updates applied. In earlier days, LAPS was a separate Microsoft download, but starting with newer builds of Windows (including Windows Server 2019 and later, with updates), LAPS functionality is integrated directly into Active Directory.

    Here’s how it works: LAPS automatically manages the local administrator password on each domain‑joined computer. It generates a unique, random password per machine, stores it securely in Active Directory, and allows authorized administrators to retrieve it when needed. This means you don’t have to worry about shared or static local admin passwords across your environment. The passwords are rotated regularly, reducing the risk of lateral movement attacks.

    Configuration involves extending the AD schema with the necessary attributes, setting up Group Policy to enable LAPS management, and defining which users or groups can read the stored passwords. Once enabled, the process is automatic—each machine updates its local admin password and writes it back to AD.

    I hope the response provided some helpful insight. If it addressed your issue, please consider marking it as Accept Answer so others facing the same problem can easily find the solution. If you need any further assistance, feel free to leave a comment.

    Jason.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.