Hello everyone,
today I plan to set up Windows LAPS on Windows Server 2025 and test it on a Windows 11 client. We will implement this for the new company I’m working at, so before deploying it into a productive environment, I would like to test it.
So, what is LAPS? Windows Local Administrator Password Solution (Windows LAPS) is a new implementation of the old Microsoft LAPS. It was shipped and integrated into Windows 10/11 and Windows Server 2019 and later, on April 11, 2023.
LAPS allows us to automatically manage and backup passwords of a local administrator account on those mentioned platforms through your local Domain Controller. Unlike Microsoft LAPS (Legacy), we don’t need to install anything additional, except, if you have an older existing deployment, you might need to copy the admx files to the domain controllers.
Ok, let’s begin.
I am assuming a working Windows Server environment, with a running domain controller and members. Also, like I mentioned earlier, I will be using Windows Server 2025 for this. You can check out this post if you want to see how to deploy a Domain Controller.
| Hostname | Function | Address |
| DC-01 | Domain Controller, DNS | 10.10.0.250 |
| FILE-01 | Fileserver | 10.10.0.251 |
Prerequisites
The set-up is actually not too difficult. Especially since we don’t need to install any additional agent to the clients. But we need to execute a few commands to “enable” the feature.
On the domain controller, run a PowerShell as administrator and import the LAPS module.
PS C:\Users\Administrator> Import-Module LAPS
Update the schema.
PS C:\Users\Administrator> Update-LapsADSchema -Verbose
This will add a bunch of attributes to the schema. You can find them in the “Attribute Editor” on any client.
Alright. Next, we need to set the permission to allow the clients to manage their own passwords.
For this, we execute the following command. This will be per organizational unit (OU), so set this for every OU you want to use LAPS on, or since this is recursive, we could also set it for the root OU.
PS C:\Users\Administrator> Set-LapsADComputerSelfPermission -Identity "OU=Server,OU=Random-it-blog,DC=random-it-blog,DC=de"
Group Policy Configuration
Create the group policy
Now, we need to create a new group policy in the “Group Policy Management”.
Give it a name and click on “OK”. For the naming convention, I will be using a combination of “Purpose”, if it’s for clients, server or user, the function and if it’s a user or computer configuration. So for example.
GPO naming convention
(Purpose) – (Workstation, Server, User) – (Function) – (User or Computer configuration)
Security – Server – LAPS configuration – (C)
General – User – Network drive mapping – (U)
General – Client_Server – Wallpaper – (C)
This worked fine for me so far, but if you have a better way, please let me know.
GPO Configuration
Edit the new policy.
Navigate to “Computer Configuration – Policies – Administrative Templates – System – LAPS”
If you have an older deployment, there might still be a legacy LAPS folder in the “Administrative Templates”. This only affects the Legacy Microsoft LAPS version.
In here, I will be setting the following configuration.
“Configure password backup directory” – Here we choose “Active Directory”
“Password Settings” – I will set the password complexity to “Large letters + small letters + numbers + specials”, the password length to 14 characters, the age to 14 days and passphrase length to 6 words.
“Post-authentication actions” – This I will enable and set to 8 hours and “Reset the password, logoff the managed account, and terminate any remaining processes”.
The configuration will look like this.
“Name of administrator account to manage” – (Optional) For this guide, I will be using the default built in administrator, so this setting is not required. If we wanted to use a different account, we would need to create a new account, since LAPS cannot create it for us and set the account name here.
This is probably how I will set it up in the productive environment, but make sure this fits your needs and adjust the settings accordingly.
Assign the Policy
Now we can assign the policy to a OU. I already created one for the server and client.
In the “Group Policy Management” copy and paste the new group policy into the OU you want to assign it to or right-click on the OU and select “Link an Existing GPO…”.
Select the new policy we created and confirm.
Ok. Now we need to apply the policy. Right-click on the OU and select “Group Policy Update…”.
This will force an update on all the objects within the OU. In my case, this would be only the FILE-01 sever.
We could also run “gpupdate /force” directly on the server.
LAPS Testing
Ok. We are done with the set-up. At this point, we should have the new password for the “Administrator” account. Let’s check it.
Open “Active Directory Users and Computers” and check the properties of the FILE-01 server. Here we select “LAPS”.
Here we can see, that the password has been set.
We can also check this via the PowerShell.
PS C:\Users\Administrator> Get-LapsADPassword -AsPlainText FILE-01
ComputerName : FILE-01
DistinguishedName : CN=FILE-01,OU=Server,OU=Random-it-blog,DC=random-it-blog,DC=de
Account : Administrator
Password : 31$go)V}WgBqU(
PasswordUpdateTime : 02.03.2025 12:30:52
ExpirationTimestamp : 16.03.2025 12:30:52
Source : EncryptedPassword
DecryptionStatus : Success
AuthorizedDecryptor : RANDOM-IT-BLOG\Domain Admins
Copy the password and log into the FILE-01 server with the local administrator.
Great. The password should reset automatically after 8 hours, or we reset it manually through the properties.
Getting the “LAPS.admx” file from a Windows 11 Client
Alright. One more thing. In case the LAPS group policy is missing on your domain controller, you can get the admx from a Windows 11 client.
For this, navigate to “C:\Windows\PolicyDefinitions” on the Windows 11 client and copy the “LAPS.admx” to the central store for group policies on the domain controller. “\\random-it-blog.de\SYSVOL\random-it-blog.de\Policies\PolicyDefinitions”.
Also, make sure to copy the “LAPS.adml” file to the corresponding folder.
Conclusion
That’s it. We should have a working LAPS setup now.
Next time I want to check out the “Windows Security Baseline” which is a set of Microsoft recommended configuration settings to up the security of your Windows clients and servers.
Till next time.