This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 4%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hi All, Please advise if it is recommended to link the LAPS group policy at the domain level? what is the implication of doing it? Local administrator password solution Please provide the supporting Microsoft Learn on this question. Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
If there are any updates, welcome to share here!
Please feel free to let us know if you have any questions further.
Best Regards,
Hi,
I tried to find some Microsoft Learn on this question, but without luck.
Based on my research, LAPS group policy is based on computer configuration, you can deploy the policies on the OUs which containing PCs you want to manage through the LAPS, no need to deploy all the LAPS related GPO on the domain level.
Operation details can be found in the operations guide
https://download.microsoft.com/download/C/7/A/C7AAD914-A8A6-4904-88A1-29E657445D03/LAPS_OperationsGuide.docx
Best Regards,
Thank you for the answer
I agree LAPS group policy is based on the computer configuration. However I wanted to see what Microsoft says about this situation, there are environments where we have very dense OU structure and chances of missing the computer from LAPS coverage. In this case, can we link it to the domain? Since its a computer policy it will apply only to the computer objects.
Kindly advice
Hi,
Yes, if you want to apply the LAPS policies to all the computers, the GPO can be linked to the Domain level.
You may also want to filter the policies for some specific computer, in this situation , you can use the security filter.
Best Regards.
reading several related discussions, it seems caution may be needed in case you link the LAPS GPO where it would be inherited/applied to the Domain Controllers, as the 'Domain Administrator' account might be affected by automatic pwd changes...
It needs 3 conditions to get LAPS functional.
If LAPS GPO is linked on Domain Level it will not effect the systems, without condition 1 and 2. There is no impact or problem to link it there. Afraid of your DCs? No worry, simply do not install LAPS on them and do not grant SELF WRITE permission.