Endpoint and appsIntermediate19 min read

What Does LAPS Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

LAPS helps secure computers on a network by giving each one a unique, strong password for its local administrator account. It stores those passwords securely in Active Directory so only authorized users can retrieve them. This stops attackers from using the same password to break into many computers.

Commonly Confused With

LAPSvsGroup Policy Password Settings Objects (PSO)

PSOs are used within Active Directory to enforce password policies for domain user accounts (like minimum length, complexity). They do not manage local administrator passwords on computers. LAPS specifically handles local account passwords, not domain user accounts.

A PSO could require domain users to have 14-character passwords. LAPS ensures each computer’s local admin password is unique and rotated.

LAPSvsMicrosoft Intune Local Admin Password Management

Intune offers a feature for managing local administrator passwords on Azure AD joined devices. It is cloud-native and does not require on-prem AD. LAPS is traditionally on-premises, though Windows LAPS now bridges both.

If a device is Azure AD joined only, use Intune password management or Windows LAPS. If the device is domain-joined to on-prem AD, use classic LAPS.

LAPSvsPrivileged Access Management (PAM) in Active Directory

PAM is a broader Microsoft solution for managing highly privileged domain accounts (like Domain Admins) using time-limited access and approval workflows. LAPS focuses specifically on local administrator accounts on individual machines.

PAM might be used to give a junior admin temporary Domain Admin rights. LAPS would be used to let that same admin retrieve the local admin password for a specific workstation.

Must Know for Exams

LAPS is a frequent topic in Microsoft certification exams, particularly those focused on security, identity, and endpoint management. It is most directly relevant to the MS-500 Microsoft 365 Security Administration exam, where it appears under the 'Manage security for Microsoft 365 workloads' domain. Expect questions that ask you to identify the correct tool for managing local administrator passwords or to describe the steps for deploying LAPS in an on-premises environment.

For the MD-100 Windows 10 exam and MD-101 Managing Modern Desktops exam, LAPS is covered in the context of endpoint security and device management. Questions may present a scenario where an organization needs to prevent lateral movement after a workstation compromise. The correct answer often involves deploying LAPS or configuring Windows LAPS. The AZ-800 and AZ-801 exams for Windows Server Hybrid Administrator also include LAPS as part of securing Active Directory and domain-joined servers.

CompTIA Security+ (SY0-601) includes LAPS under the 'Implementing secure network architectures' domain, specifically in the context of credential management and least privilege. While it is not a deep objective, you may see a multiple-choice question asking which technology enforces unique local admin passwords on Windows computers. The correct answer is LAPS, and it is important not to confuse it with Group Policy Password Settings Objects or fine-grained password policies.

In all these exams, the focus is on understanding the purpose of LAPS, its deployment requirements (AD schema extension, GPO client extension), and the security benefits (unique passwords, rotation, access control). You will not be asked to memorize specific PowerShell cmdlets in great detail, but you should know that LAPS uses Group Policy to configure behavior and that passwords are stored in the ms-Mcs-AdmPwd attribute. Be prepared to distinguish LAPS from similar solutions like Microsoft Intune’s local admin password management or third-party privileged access management tools.

Simple Meaning

Imagine you are the manager of a large apartment building with hundreds of units. Each unit has its own front door lock. If you gave every tenant the same key to the building’s maintenance closet, then any tenant who lost their key would put the entire building at risk. Worse, an outsider who found one key could access every apartment’s maintenance area. That is exactly what happens when every Windows computer on a corporate network has the same local administrator password.

LAPS fixes this by giving every computer its own unique, very strong password for the local admin account. These passwords are stored in a central directory called Active Directory, which is like a secure vault. Only IT administrators who have been given permission can open that vault and look up a specific computer’s password. If a password is ever compromised, LAPS can automatically change it to something new, making the old password useless.

In plain terms, LAPS makes sure that even if an attacker steals a password from one computer, they cannot use that same password to log into any other computer on the network. This is a huge boost to security because it stops the kind of attack where a hacker moves from machine to machine, looking for more valuable data. LAPS also helps IT teams comply with security policies that require strong, rotated passwords for local accounts, without requiring them to visit each computer physically.

Full Technical Definition

LAPS, or Local Administrator Password Solution, is a Microsoft-provided security tool that manages the passwords of local administrator accounts on domain-joined Windows computers and servers. It is not a built-in feature of Windows but is deployed as an optional component via the LAPS MSI package, which includes a Group Policy client-side extension and an Active Directory schema extension.

The core mechanism works by using Group Policy to instruct each targeted computer to generate a new, cryptographically random password for its local administrator account at a configurable interval. The computer then writes that password to a specific attribute on its corresponding computer object in Active Directory. These attributes, ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime, are added to the AD schema during LAPS deployment. The password is stored in clear text within the directory, but access to it is secured through standard Active Directory access control lists (ACLs).

For security, LAPS does not rely on the computer’s own security principal to write the password; instead, the computer uses its own machine account credentials to write to its object. Administrators who need to retrieve a password must have delegated read permission on the ms-Mcs-AdmPwd attribute of the relevant computer objects. By default, only Domain Admins and the computer itself have this read access. The solution supports both 24-character and 128-character password lengths, with complexity that includes lowercase letters, uppercase letters, numbers, and special characters.

LAPS operates without any additional infrastructure beyond Active Directory and the client-side extension. It does not require a dedicated server, database, or licensing beyond standard Windows Server and Windows client licenses. The solution is fully compatible with on-premises Active Directory environments and can be managed via PowerShell using the LAPS module cmdlets such as Get-LapsADPassword, Set-LapsADComputerSelfPermission, and Update-LapsADSchema. Microsoft has released a newer, modern version of LAPS in Windows 10 20H2 and later called Windows LAPS, which integrates more deeply with Azure Active Directory and offers encryption of the stored password.

In real IT implementations, LAPS is deployed as part of a baseline security configuration. Administrators extend the AD schema, delegate the appropriate permissions to helpdesk groups, and then create a Group Policy Object (GPO) that configures the LAPS client-side extension. This GPO defines password complexity, length, and expiration period. Once applied, the LAPS client runs during Group Policy refresh, typically every 90 minutes, and checks if a password change is due. If so, it generates a new password and updates the AD attribute.

Real-Life Example

Think of a large office building that has a security guard at the front desk. The guard has a master key that can open every office door in the building. If the guard loses that master key, every single office becomes vulnerable. In a corporate IT network without LAPS, the local administrator password is like that master key, it is the same on every computer. An attacker who gains that password can log into any workstation, server, or laptop on the domain.

Now imagine instead that each office door has its own unique key, and the security guard’s desk has a locked filing cabinet with a label for each office. Inside the filing cabinet, each key is stored in a separate envelope. Only the building manager and trusted security personnel have the key to the filing cabinet. This is exactly how LAPS works. Each computer (the office) has its own unique local admin password (the key). That password is stored securely in Active Directory (the filing cabinet), and only authorized IT administrators (the manager and security personnel) can access it.

If a single computer gets compromised, the attacker can steal that computer’s local admin password, but they cannot use it on any other computer because every password is different. The IT team can then force a reset of that computer’s password, rendering the stolen credential useless. This analogy also highlights the importance of delegation: you do not want every employee to have access to the filing cabinet, just as you do not want every domain user to be able to read LAPS passwords. Proper access control is essential to the solution’s security.

Why This Term Matters

In any organization with more than a handful of Windows computers, the local administrator account is a prime target for attackers. Without a tool like LAPS, IT administrators often set the same static password on every machine for convenience. This creates a massive security vulnerability: if an attacker compromises one machine and extracts that password, they can move laterally across the entire network, potentially reaching domain controllers and sensitive data.

LAPS eliminates this risk by ensuring that every computer has a unique, complex, and regularly rotated local admin password. This practice is a fundamental part of a defense-in-depth strategy and aligns with well-known security frameworks such as the Center for Internet Security (CIS) controls and the Microsoft Security Compliance Toolkit. It also supports compliance requirements for regulations like PCI DSS, HIPAA, and GDPR, which mandate strict access control and credential management.

For IT professionals, LAPS reduces operational overhead. Instead of manually resetting passwords after an incident or when an employee leaves, the solution automates password rotation. It also provides a clear audit trail because password retrieval is logged in Active Directory. Helpdesk teams can look up a local admin password when needed for remote troubleshooting, without having to store passwords in spreadsheets or on sticky notes.

The solution is also important for managing privileged access. By restricting who can read LAPS passwords, organizations can enforce the principle of least privilege. Even if a junior administrator has local admin rights on their own machine, they cannot access the local admin password for the CEO’s laptop unless explicitly authorized. This granular control is essential for preventing insider threats and accidental misuse.

How It Appears in Exam Questions

Exam questions about LAPS typically fall into three categories: scenario-based, configuration, and troubleshooting. In scenario-based questions, you are given a description of a company that has many Windows computers all using the same local admin password. After a breach, attackers moved from machine to machine. The question asks: 'Which solution should be deployed to prevent this in the future?' The obvious answer is LAPS.

Configuration questions may ask about the necessary prerequisites for deploying LAPS. For example: 'What must be performed before deploying LAPS?' The correct answer includes extending the Active Directory schema and installing the LAPS client-side extension on target computers. Another variant might ask: 'Which attribute stores the LAPS password?' The answer is ms-Mcs-AdmPwd.

Troubleshooting questions often revolve around why LAPS is not working. For instance: 'A support technician deployed LAPS but passwords are not being updated on client computers. What is the most likely cause?' Possible reasons include the LAPS client extension not being installed, the Group Policy not being applied (check gpresult), or the computer object in Active Directory lacking the necessary permissions to write the password attribute. You might also see a question where an administrator cannot read the LAPS password of a specific computer. The cause is likely that the administrator’s user account does not have delegated read access to the ms-Mcs-AdmPwd attribute.

Another common question pattern involves Windows LAPS versus the classic LAPS. For example: 'An organization wants to manage local admin passwords for Azure AD-joined devices. Which solution should they use?' The answer is Windows LAPS, which integrates with Azure AD, rather than the classic LAPS that only works with on-premises Active Directory.

Pay attention to questions that ask about password rotation intervals. LAPS can be configured to change passwords after a set number of days, and a question may present a scenario requiring a specific rotation policy (e.g., every 30 days). The answer will involve configuring the relevant Group Policy settings, such as 'Password age (days)' in the LAPS administrative template.

Practise LAPS Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company called TechSolve has 200 Windows 10 workstations and 20 Windows Server 2019 servers, all joined to an on-premises Active Directory domain. For years, the IT admin, Sarah, used the same local administrator password 'P@ssw0rd123' on every machine. This made it easy to perform remote maintenance and troubleshooting. Last month, a phishing email tricked an employee into installing malware on their workstation. The attacker extracted the local admin password and used it to log into every other workstation on the network, eventually reaching a file server containing sensitive client data.

After the breach was contained, Sarah’s manager demanded a solution that would prevent this type of lateral movement. Sarah researched and decided to deploy LAPS. She first extended the Active Directory schema by running 'Update-LapsADSchema' on a domain controller. Then, she created a security group called 'LAPS Readers' and delegated Read access to the ms-Mcs-AdmPwd attribute for all computer objects in the relevant organizational unit. She configured a Group Policy Object with the LAPS settings: password length of 24 characters, complexity enabled, and password expiration every 30 days.

She deployed the LAPS client extension to all workstations and servers using Group Policy Software Installation or SCCM. After a Group Policy refresh, each computer generated a unique, strong local admin password and stored it in AD. Now, when Sarah needs to perform remote maintenance on a specific computer, she uses PowerShell to retrieve that computer’s password: Get-LapsADPassword -Identity 'Computer123' -AsPlainText. The password is different for each machine. If another attack happens, the attacker can only compromise one machine because the local admin password on every other computer is different. TechSolve has significantly reduced the risk of lateral movement.

Common Mistakes

Thinking LAPS is built into Windows by default and requires no additional installation.

LAPS is not included in Windows by default. It must be downloaded from Microsoft and deployed as an MSI package. Without the client-side extension, Group Policy settings for LAPS have no effect.

Always check that the LAPS client is installed on target computers. You can verify by looking for the LAPS administrative template in Group Policy or the LAPS PowerShell module.

Believing LAPS encrypts the password when stored in Active Directory.

Classic LAPS stores the password in clear text in the ms-Mcs-AdmPwd attribute. Security relies on AD access controls, not encryption. Windows LAPS offers encryption, but classic LAPS does not.

Protect access to the ms-Mcs-AdmPwd attribute with strict ACLs. Do not grant read access to users or groups unnecessarily. Consider using Windows LAPS if encryption is required.

Assuming LAPS works with Azure AD joined devices out of the box.

Classic LAPS only works with on-premises Active Directory. For Azure AD joined devices, you need Windows LAPS (available in Windows 10 20H2 and later) or a third-party solution.

For hybrid or cloud-only environments, use Windows LAPS, which supports both on-prem AD and Azure AD. Evaluate your device join type before choosing the solution.

Configuring LAPS but forgetting to delegate read permissions, then wondering why helpdesk cannot retrieve passwords.

By default, only Domain Admins and the computer itself can read the LAPS password. If helpdesk users need access, you must explicitly grant them Read permission on the ms-Mcs-AdmPwd attribute.

Create a security group for helpdesk staff and delegate 'Read ms-Mcs-AdmPwd' at the appropriate OU. Use the Set-LapsADComputerSelfPermission cmdlet to grant the computer permission to write its own password.

Exam Trap — Don't Get Fooled

{"trap":"A question states that LAPS uses Group Policy to store passwords in a centralized database, leading learners to think LAPS requires SQL or a dedicated database server.","why_learners_choose_it":"Learners assume that 'centralized management' implies a separate database, similar to other Microsoft tools like SCCM or WSUS. They may be unfamiliar with Active Directory attribute storage."

,"how_to_avoid_it":"Remember that LAPS stores passwords directly in Active Directory as an attribute on the computer object. No extra database is needed. Group Policy is only used to configure the client-side behavior, not to store the passwords."

Step-by-Step Breakdown

1

Download and prepare LAPS

Obtain the LAPS MSI from the Microsoft Download Center. The package includes the client-side extension (CSE) and administrative templates. Also included is a PowerShell module for management.

2

Extend the Active Directory schema

Run Update-LapsADSchema on a domain controller (member of Schema Admins). This adds the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes to the schema, allowing computer objects to store local admin passwords.

3

Delegate permissions for computer password write

Use the Set-LapsADComputerSelfPermission cmdlet to grant each computer the right to write its own password to its AD object. This is done at the OU level where the computers reside.

4

Delegate read permissions for authorized users

Create a security group (e.g., LAPS Readers) and grant it Read access to the ms-Mcs-AdmPwd attribute on the relevant computer OUs. Use ADAC or PowerShell to delegate this permission.

5

Create and apply Group Policy

Import the LAPS ADMX templates into the Central Store, then create a GPO with settings such as password length, complexity, and password age (days). Link the GPO to the OU containing target computers.

6

Install the LAPS client on target computers

Deploy the LAPS MSI to all domain-joined computers using Group Policy Software Installation, SCCM, or another deployment tool. The client runs as a CSE during Group Policy processing.

7

Verify functionality

After the next Group Policy refresh, use the LAPS UI tool or PowerShell (Get-LapsADPassword) to confirm that passwords are being generated and stored in AD. Check that only authorized users can read them.

Practical Mini-Lesson

LAPS is one of the simplest yet most impactful security tools a Windows administrator can deploy. In practice, many organizations underestimate how quickly a shared local admin password can be extracted and abused. The first step in any LAPS deployment is to assess your environment’s readiness. Ensure your domain controllers are running a supported version of Windows Server (2008 R2 or later) and that your clients are at least Windows 7 SP1 or Windows Server 2008 R2. For modern environments, Windows LAPS is preferred because it supports both on-prem AD and Azure AD, plus it offers encrypted storage of passwords in AD.

When configuring LAPS, the most critical decision is the password age. A shorter age increases security but also increases network traffic and writes to AD. A common best practice is 30 days, but organizations handling highly sensitive data may set it to 7 days. Password length is also important: while 14 characters is often considered secure, many organizations use 24 or even 128 characters to be safe. Keep in mind that longer passwords may cause issues with some older applications or scripts that hard-code a maximum length.

A common pitfall in real implementations is forgetting to delegate the computer’s self-write permission. Without this, the LAPS client will fail to write the password to AD, and the password will remain unchanged. Check the event log on the client (Event ID 10030 from LAPS) to diagnose this. Also, ensure that the LAPS service is running and that the Group Policy settings are being applied. Use gpresult /h to verify the applied GPOs.

For retrieval, IT professionals should rely on the LAPS PowerShell module rather than the legacy UI tool, as it enables scripting and integration with helpdesk ticketing systems. A typical retrieval command is: Get-LapsADPassword -Identity 'Workstation123' -AsPlainText. The output will display the current local admin password. Ensure that the account running this command has the necessary read permission. If an administrator cannot retrieve the password, the most common cause is missing delegation permissions.

What can go wrong? Besides permission issues, the LAPS client can conflict with third-party security software that blocks the modification of local accounts. If a password reset fails repeatedly, check for such conflicts. Also, if the computer object is moved to a different OU after LAPS is configured, the GPO may no longer apply, and the password will not be rotated. Always audit your OUs and GPO linkage when restructuring your directory.

Memory Tip

LAPS = Local Admin Password Solution. Remember: 'LAPS stops lateral hops.' If an attacker steals one local password, LAPS ensures it only works on one machine.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

Do I need a separate server to run LAPS?

No, LAPS does not require a separate server. It uses your existing Active Directory and the LAPS client installed on each computer.

Is LAPS free?

Yes, LAPS is a free tool provided by Microsoft. It is included with Windows but must be downloaded and deployed separately.

Can LAPS manage the built-in Administrator account?

Yes, LAPS is designed to manage the built-in local Administrator account by default. It can also manage custom local accounts if configured.

Does LAPS work on servers?

Yes, LAPS can be deployed on Windows Server as well as Windows client computers. It is commonly used on both.

What happens if the LAPS client cannot reach a domain controller?

If the computer cannot contact a domain controller at the time of the scheduled password rotation, it will retry at the next Group Policy refresh interval. The existing password remains in effect until the change succeeds.

Can I use LAPS on Azure AD joined devices?

Classic LAPS does not support Azure AD joined devices. Use Windows LAPS, which is available in Windows 10 20H2 and later, for Azure AD or hybrid devices.

Does LAPS log password retrieval?

Yes, when a password is read from Active Directory, it is logged in the Domain Controller security event log. This provides an audit trail of who accessed which computer's local admin password.

Summary

LAPS (Local Administrator Password Solution) is a critical security tool that prevents lateral movement by ensuring each Windows computer on a domain has a unique, complex, and regularly rotated local administrator password. It stores these passwords securely in Active Directory, accessible only to authorized IT administrators through delegated permissions. The solution leverages Group Policy for configuration and requires a simple deployment of a client-side extension.

For IT certification candidates, understanding LAPS is important for security-related exams such as MS-500, MD-100, MD-101, and CompTIA Security+. You should know its purpose, deployment prerequisites (schema extension, client deployment, permission delegation), and common pitfalls like permission misconfigurations. Remember that LAPS is not built-in, does not encrypt passwords by default in its classic version, and works only with on-prem AD unless you use Windows LAPS.

The key exam takeaway is that LAPS directly addresses the 'same local admin password' vulnerability, a favorite topic for scenario questions. By implementing LAPS, organizations enforce the principle of least privilege and reduce the blast radius of any single machine compromise. As threats continue to evolve, LAPS remains a foundational control in any Windows security strategy.