How to Deploy Microsoft LAPS

Microsoft LAPS blog banner image

Securing privileged accounts is of utmost concern to cybersecurity professionals, and Active Directory, Microsoft’s identity and access management service, forms the backbone of the majority of organizations. Active Directory (AD) centralizes user accounts, computers, and resources, ensuring access control, and local administrator accounts wield substantial power within Windows systems. Mismanaging these passwords can lead to severe security breaches, and such passwords demand meticulous protection to prevent unauthorized access.

What is Microsoft LAPS?

Microsoft’s Local Administrator Password Solution (LAPS) addresses the vulnerability of local admin passwords by ensuring they are secure, randomized, and unique. Passwords are automatically generated and are both complex and unique for the local admin accounts on each computer, enhancing their security.

This guide’s aim is to equip you with the knowledge and practical skills needed to deploy and utilize Microsoft LAPS effectively. By the end of this journey, you will understand the importance of secure password management in Active Directory environments and have the expertise to implement LAPS as a robust solution.

Why use Microsoft LAPS?

LAPS provides a means to centrally manage local admin passwords, and doing so has three key advantages:

LAPS security

LAPS’ core value lies in its transformation of the way local administrator passwords are treated. This fundamental shift fortifies the security posture of organizations by eliminating the risk of password reuse and minimizing the blast radius of a password compromise in the following ways:

  • Randomized, unique local admin passwords: LAPS ensures that each local administrator account on every computer in your organization has a unique, complex password. These passwords are regularly rotated, reducing the risk of unauthorized access.
  • Enhanced security posture: By removing the predictability of local admin passwords, LAPS mitigates security threats associated with password reuse and theft. It provides a crucial layer of defense in the event of credential theft attacks.

Regulatory compliance

Many regulatory frameworks require organizations to implement secure password and compliance management practices. LAPS aligns with these requirements, ensuring compliance with standards like HIPAA, GDPR, and PCI DSS.

Streamlined password management in Active Directory environments

Managing local administrator passwords across a vast number of computers is a massive task that traditionally called for significant effort. LAPS simplifies this process by employing IT automation for multiple processes, including  the generation, rotation, and secure storage of these passwords within Active Directory.

Pre-requisites and system requirements for LAPS

Before looking at the installation and configuration of LAPS, it is important to ensure your environment is suitable for a deployment. Areas to consider include:

  • Supported Windows versions: LAPS is compatible with Windows clients and servers – minimum versions supported are Windows 10 and Windows Server 2016.
  • Active Directory compatibility: LAPS relies on Active Directory for password storage and retrieval, thus the clients you seek to manage must be connected to an Active Directory domain. 
  • Required permissions and roles for LAPS deployment: To deploy LAPS, you must have permissions in Active Directory to modify Group Policy setting, as well as the permission to update AD objects.

How to download and install LAPS

The installation and configuration of LAPS is straightforward and wizard-driven. Follow the stages below to successfully deploy LAPS in your environment:

Download the LAPS software

You can download the LAPS software from Microsoft’s official website to ensure that you are acquiring the most up to date version. Always verify the source of the LAPS software to prevent downloading from untrusted or malicious locations, and virus scan the download before executing.

LAPS installation steps

The installation of LAPS is simply a matter of defining password settings, and configuring the Active Directory schema extensions. These are the required steps:

  1. Run the installer: Execute the LAPS installer on a computer with administrative privileges.
  2. Select installation components: On the features screen, deselect the default “AdmPwd GPO Extension” and select “Management Tools”. “AdmPwd GPO Extension” is required for the management of the local administrator account of the management server – it is not required for Domain Controller management.
  3. Set password parameters: Define the settings for password complexity, length, and age. Ensure they align with your organization’s security policy.
  4. Schema extensions: If you haven’t previously extended the Active Directory schema for LAPS, you’ll need to do so. Run the following command: adms /operation:ldapupdate
  5. Assign permissions: Configure security permissions to ensure that only authorized users can retrieve local administrator passwords.

Verifying the installation

After the installation, it is good practice to confirm that LAPS is functioning correctly and that the required Active Directory schema extensions have been applied. Test the retrieval of local administrator passwords to ensure their availability.

Deploying LAPS in Active Directory

Configuring LAPS in your Active Directory environment requires the definition of Group Policy settings, specifying the locations where passwords will be stored, and determining password policies. Group Policy is used to deploy the LAPS management tool to computers, as well as to define how frequently passwords should be rotated.

Once client-side setup is complete, verify that LAPS is working as intended and that passwords are correctly stored in Active Directory.

Best practices for using LAPS

Follow the best practices below for a secure and effective LAPS deployment:

  • Setup policies and tracking: Implement audit policies to track password retrieval and usage. This allows you to monitor and review LAPS activity, which is essential for security and compliance purposes.
  • Configure access controls: Stored local administrator passwords are a valuable target for attackers. Implement access controls and encryption mechanisms to protect these passwords from unauthorized access.
  • Schedule maintenance and updates: Keep LAPS up to date with the latest releases and security patches. Regularly review and update the LAPS configuration to align with changing security requirements.
  • Troubleshoot common issues: Familiarize yourself with common issues that can arise during LAPS deployment and usage. Troubleshooting these issues ensures that LAPS continues to operate smoothly.

Safeguard Windows environments with LAPS

LAPS goes beyond protecting local administrator passwords, fortifying the security of your organization. Implement Microsoft LAPS and safeguard your Windows environment from unauthorized access while maintaining compliance with regulatory standards.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.

You might also like

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).