Download Local Administrator Password Solution (LAPS) from Official Microsoft Download Center (2024)

|

  • Version:

    6.2

    Date Published:

    5/18/2021

    File Name:

    LAPS_Datasheet.docx

    LAPS_TechnicalSpecification.docx

    LAPS.ARM64.msi

    LAPS.x64.msi

    LAPS.x86.msi

    LAPS_OperationsGuide.docx

    File Size:

    102.0 KB

    71.0 KB

    1.1 MB

    1.1 MB

    1.0 MB

    626.3 KB

    Important Deprecation Notice

    NOTE: The legacy Microsoft LAPS product is deprecated as of Windows 11 23 H2 and later. Installation of the legacy Microsoft LAPS MSI package is blocked on newer OS versions. Microsoft will no longer consider code changes for the legacy Microsoft LAPS product.

    Please use Windows LAPS, available on Windows Server 2019 and above, and on supported Windows 10 and Windows 11 clients, for managing local administrator account passwords. See https://aka.ms/laps for more information on Windows LAPS.

    Microsoft will continue to support the legacy Microsoft LAPS product on older versions of Windows (prior to Windows 11 23 H2) on which it was previously supported. That support will end upon the normal End of Support for those OSes.

    See https://aka.ms/LegacyLAPSDeprecation for more information.

    End Deprecation Notice

    Note: the only change in this release is that the binaries and installer package have been recompiled and signed with SHA256. No functionality has been added or modified.

    For environments in which users are required to log on to computers without domain credentials, password management can become a complex issue. Such environments greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack. The Local Administrator Password Solution (LAPS) provides a solution to this issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.

    LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers. LAPS stores the password for each computer’s local administrator account in Active Directory, secured in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.

    Use LAPS to automatically manage local administrator passwords on domain joined computers so that passwords are unique on each managed computer, randomly generated, and securely stored in Active Directory infrastructure. The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration.

    How does LAPS work?
    The core of the LAPS solution is a GPO client-side extension (CSE) that performs the following tasks and can enforce the following actions during a GPO update:
    • Checks whether the password of the local Administrator account has expired.
    • Generates a new password when the old password is either expired or is required to be changed prior to expiration.
    • Validates the new password against the password policy.
    • Reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory.
    • Reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory.
    • Changes the password of the Administrator account.
    The password then can be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.

    What are the features of LAPS?
    LAPS includes the following features:
    • Security that provides the ability to:
    &nbsp&nbsp• Randomly generate passwords that are automatically changed on managed machines.
    &nbsp&nbsp• Effectively mitigate PtH attacks that rely on identical local account passwords.
    &nbsp&nbsp• Enforced password protection during transport via encryption using the Kerberos version 5 protocol.
    &nbsp&nbsp• Use access control lists (ACLs) to protect passwords in Active Directory and easily implement a detailed security model.
    • Manageability that provides the ability to:
    &nbsp&nbsp• Configure password parameters, including age, complexity, and length.
    &nbsp&nbsp• Force password reset on a per-machine basis.
    &nbsp&nbsp• Use a security model that is integrated with ACLs in Active Directory.
    &nbsp&nbsp• Use any Active Directory management tool of choice; custom tools, such as Windows PowerShell, are provided.
    &nbsp&nbsp• Protect against computer account deletion.
    &nbsp&nbsp• Easily implement the solution with a minimal footprint.

  • Supported Operating Systems

    Windows Server 2019, Windows Server 2008, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows Server 2003, Windows Server 2008 R2, Windows Server 2012, Windows 7, Windows 8, Windows Vista, Windows 8.1, Windows Server 2022


    Active Directory: (requires AD schema extension)
    &nbsp&nbsp• Windows 2003 SP1 or later.
    Managed machines:
    &nbsp&nbsp• Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later.
    &nbsp&nbsp&nbsp&nbsp Note: Itanium-based machines are not supported.
    Management tools:
    &nbsp&nbsp• .NET Framework 4.0
    &nbsp&nbsp• PowerShell 2.0 or later

  • The following steps need to be performed to configure LAPS

    • Installation of GP CSE (Group Policy Client Side Extension) via MSI installation
    &nbsp&nbsp• On management computers
    &nbsp&nbsp• On clients to be managed
    • AD preparation
    &nbsp&nbsp• schema extension
    &nbsp&nbsp• Permission updates
    • Group policy configuration

    Further details can be found in the operations guide.

Download Local Administrator Password Solution (LAPS) from Official Microsoft Download Center (2024)

FAQs

How to get local admin password using LAPS? ›

The Get-LapsADPassword cmdlet allows administrators to retrieve LAPS passwords and password history for an Active Directory computer or domain controller object. Depending on policy configuration, LAPS passwords may be stored in either clear-text form or encrypted form.

What is the local administrator password solution program? ›

Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices.

How to download Windows LAPS? ›

You can install the LAPS management features on the domain controller or another domain-joined computer (such as windows 10 or 11).
  1. Download the LAPS software from the link below. ...
  2. Double-click the file LAPS. ...
  3. Click “Next” on the setup wizard screen.
  4. Accept the license agreement and click “Next”.
  5. Install all features.
Oct 19, 2023

How much does Microsoft LAPS cost? ›

LAPS is a Client Side Extension (CSE) to Group Policy released for free by Microsoft. It creates two new protected attributes in your Active Directory schema for computer objects which are used to store the computer's Local Admin password and expiry information.

How do I find my local administrator password? ›

Finding the Admin Password In Your Computer's Settings

Access the computer's BIOS menu – this is usually done by pressing the Del or F2 key. Here you can usually find the complete password in plain text. If it is not available in the BIOS, look for the “security tab” in your computer's settings.

Where are local admin passwords stored? ›

LAPS stores the password for each computer's local administrator account in Active Directory, secured in a confidential attribute in the computer's corresponding Active Directory object.

How to reset LAPS password manually? ›

The password will displayed along with the password expiration date. To manually reset the password, just click the Set button in LAPS UI tool. When a Group Policy refresh runs on the target machine, the password will be reset.

What is the default password for Windows local administrator? ›

Sadly, there is no default password or admin default password for your Microsoft Windows. However, there are ways to regain access to your Windows if you don't remember your login info. If you have Windows 8, 10, or 11 and use a Microsoft account, the easiest way to do this is by running an online reset.

How to implement Windows LAPS? ›

Setting Up Windows LAPS: Step by Step
  1. Check for the PowerShell Module. ...
  2. Extend the Active Directory Schema. ...
  3. Verify the Schema was Extended. ...
  4. Set the AD LAPS Computer Permission. ...
  5. Configuring Group Policy.

Who can read LAPS passwords? ›

These passwords are stored securely within Active Directory and are only accessible to users who have been granted permission through Access Control Lists (ACLs). The security of the password transmissions from the client to the server is ensured by the use of Kerberos version 5 and Advanced Encryption Standard (AES).

Is Microsoft LAPS still supported? ›

As of October 23, 2023 the legacy legacy Microsoft LAPS product is deprecated.

Is LAPS built into Windows? ›

Windows LAPS is a native, built-in solution with increased functionality and security features. It also provides an emulation mode to help you migrate from legacy LAPS.

How much does 365 cost per year? ›

Overview of Microsoft 365 for Home
PlanPrice (Annual Subscription)
Microsoft 365 Family$99.99
Microsoft 365 Personal$69.99
Oct 3, 2022

How many devices can you have on Microsoft 365 personal? ›

Microsoft 365 Personal can be used by you. You can install Microsoft 365 on all your devices and be signed in to five devices at a time. Whether you stay with the same subscription or switch to a different subscription, your online storage capacity per user doesn't change.

Is Microsoft 365 free for personal use? ›

Microsoft 365 for the web is a free version of Microsoft 365 that you can use in a web browser. All you need is to sign up for a Microsoft account with a new or existing email address. Use Word, Excel, PowerPoint and more for free on the web.

How do I access my local admin account? ›

Sign into Windows as a Local Administrator
  1. In the bottom-left corner of the sign-in screen, click on Other User.
  2. Enter “. \Administrator” as the username, enter your local admin password, and press Enter.
Jan 25, 2023

How do I unlock local administrator? ›

Using the Command Prompt

The easiest way to unlock the Administrator account in Windows 10 is to use the Command Prompt. To do this, open the Command Prompt as an Administrator, then type in the command “net user administrator /active:yes” and press Enter.

Does LAPS create an admin account? ›

Can Windows LAPS create local admin accounts based on the administrator account name that's configured using LAPS policy? No. Windows LAPS can only manage accounts that already exist on the device.

How to set local admin password from cmd? ›

Here's how to do it from command prompt.
  1. Go to search, type CMD, run Command Prompt as Administrator.
  2. Type this command: net user USERNAME * press Enter.
  3. It will ask you for a new password for the account. Enter your preferred one and confirm.
Dec 14, 2020

Top Articles
Latest Posts
Article information

Author: Mrs. Angelic Larkin

Last Updated:

Views: 5970

Rating: 4.7 / 5 (67 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Mrs. Angelic Larkin

Birthday: 1992-06-28

Address: Apt. 413 8275 Mueller Overpass, South Magnolia, IA 99527-6023

Phone: +6824704719725

Job: District Real-Estate Facilitator

Hobby: Letterboxing, Vacation, Poi, Homebrewing, Mountain biking, Slacklining, Cabaret

Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.