I’ve been a fan of LAPS for a while and in 2023 Microsoft made LAPS even better by introducing a new version called Windows LAPS. Windows LAPS (Local Administrator Password Solution) is a great tool for managing your local admin passwords.
You might be thinking it’s ok I use one complicated password for my local admin accounts, it does not matter in fact it’s worse because if that local admin password hash is obtained then techniques such as pass-the-hash could be used or the password could be cracked and then all systems are compromised, it also sticks out on a penetration test.
Let’s be real, how often are you really changing those passwords even if they are all unique? Well, it doesn’t matter now because Microsoft has made managing all of it much simpler.
LAPS is not new, it has been around for years. In the past to use LAPS you needed to install a small client on the systems you wanted to manage with LAPS. You also needed to install the LAPS UI to retrieve the password or go digging in the AD attributes for the password.
After April 2023 all of that has changed as with the April 2023 security update systems running Windows 10 or newer and servers running Windows Server 2019 or newer now support Windows LAPS natively. No more extra programs are needed. There’s really no excuse for not using Windows LAPS.
The old way of doing Microsoft LAPS with the small client and LAPS UI is now called Legacy LAPS.
Here is step-by-step how to deploy Windows LAPS after the April 2023 update in on-premises Active Directory setup.
- All domain controllers and systems managed by LAPS must have the April 2023 update or newer.
- An AD group for the users who can view LAPS passwords.
- An AD group for the users who can reset the current LAPS password. (You can use the same group for both if you want.)
- An Admin account that is a member of Schema Admins and Domain Admins.
- Domain Functional Level of Windows Server 2016 or higher.
- Login to a domain controller with an account that is a member of schema admins and domain admins
- Confirm you have the LAPS PowerShell module by running the following command
get-command -module LAPS