Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Microsoft LAPS Overview: Setup, Installation, and Security

Learn the basics of Microsoft LAPS to keep users from gaining unauthorized access to your system. Contact us for help with your data protection needs.
David Harrington
5 min read
Published September 28, 2021
Last updated June 6, 2022

Microsoft LAPS is one of the most effective ways to protect administrator passwords and prevent unauthorized users from accessing systems or data that they shouldn’t. Microsoft’s Local Administrator Password Solution — or LAPS for short — is a password management feature that randomizes administrator passwords across a single domain.

Without a tool like LAPS, a compromise of one administrator’s password could potentially lead to all others being exposed or stolen. By forcing all administrators to have unique passwords that change periodically, companies avoid users simply standing pat with their default passwords, or having passwords overlapping in the system.

In this article, we’ll cover the basics of Microsoft LAPS and installation requirements. We’ll also explain how to install LAPS and ensure it operates securely within your business and IT systems.

What is Microsoft LAPS

microsoft laps definition

Microsoft LAPS is a product that manages local administrator passwords and shares permissions, storing them in Active Directory (AD). LAPS automatically randomizes and updates passwords on a routine basis, so that no two users ever have the same passwords and that passwords don’t become stale and more vulnerable to hacking. Prior to LAPS, many system administrators either used the same password across the domain, or similar naming conventions that made the entire system more vulnerable.

Get the Free Pentesting Active
Directory Environments e-book

In short, Microsoft LAPS ensures that all the devices and users throughout your system have unique, strong passwords to prevent data breaches or unauthorized logins.

Requirements for Installing LAPS

Microsoft LAPS has several key technical requirements necessary for installation. First, you’ll need the .NET Framework 4.0 and PowerShell 2.0 at a minimum. You’ll also need to be running Windows Server 2003 SP1 or higher, which is where LAPS will manage the local administrator password. And on all desktop systems, you need to be running Windows Vista SP2 or higher.

With regards to your Active Directory environment, you’ll also need to be running Windows Server 2003 SP1 or higher. Moreover, LAPS requires a schema update to support the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes. Those attributes are used to store both the local administrator password in addition to its expiration time.

If you’ve been keeping your Microsoft technology stack current and up-to-date, you should have minimal issues meeting the minimum requirements for installing LAPS.

How to Setup Microsoft LAPS

setting up laps

After installation, Microsoft LAPS can be set up in just a few simple, linear steps.

1. Validate Your Components

The first thing to do is to ensure that you have all of your LAPS components ready for use.  This includes things like your Fat Client UI, Powershell module, and Group Policy templates, and AdmPwd GPO Extension. While you may not need all of those specific features, most management consoles require one or more of those components prior to LAPS setup.

2. Extend Active Directory Schema

Extending the AD schema allows your systems and network to accommodate LAPS. You can do this using a Microsoft Powershell module to aid in the process. The two main attributes you need to add to the schema are ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. These two attributes store the administrator password and expiry time.

3. Configure Password Settings

Once you’ve extended the AD schema, it’s time to configure LAPS passwords settings. By navigating to Password Settings, you can configure things like password complexity, length, and expiration date that LAPS will use to generate new passwords. This is a critical step to ensuring that your LAPS passwords are complex enough and changed frequently.

4. Apply Access Permissions

Now you’ll need to ensure that only the right people have access to LAPS settings and passwords. You’ll want to name the administrator that will manage the account, enter their information and enable their access. You also have the option of utilizing the default administrator account and details that come with every LAPS install.

5. Group Policy Configuration

Your AD is now ready to store and receive passwords and the correct permissions have been assigned. The final main step to LAPS installation is creating a group policy to configure the LAPS client component. Simply open the Group Policy Management Editor, select “Create a Group Policy Object,” and give it a meaningful name.

You’re now ready to essentially let LAPS do its thing. The system will generate and change passwords based on your specified complexity and time intervals based on your group policy and administrative settings. And only the administrators you designate will be able to access LAPS and make changes.

How to Ensure LAPS is Secure

ensuring laps is secure

You can implement several measures and tools to ensure that LAPS is secure and that none of your passwords or system access is compromised.

PowerShell Permission Scripts

Because installing LAPS adds new attributes to your system, you’ll want to double-check that access permissions to those attributes are correctly applied. You only want to grant access to the ms-McsAdmPwd attribute to users that need it. Thankfully, permission scripts are widely available, which check for current attribute access and automatically apply for new permissions if needed.

Remove All Extended Permissions

It’s also wise to remove the “All Extended Rights” permission that exists as default in LAPS. Removing this permission will prevent users and groups from viewing the passwords of local administrator accounts from unauthorized devices. Because the passwords are stored as a text attribute in PowerShell, removing extended permissions prevent people from accidentally stumbling upon passwords.

Locking Password Reset Permissions

In LAPS, certain users are allowed the capability of resetting passwords. Upon installation and setup, you’ll want to ensure that password reset permission is locked only to the local administrator. The ability to reset passwords should be strictly limited in any scenario, and Microsoft LAPS is no exception.

Administrator Training and Awareness

On an organizational level, you should also conduct administrator training sessions on how to install, configure, and utilize LAPS on a secure basis. As with any new software or technology rollout, it’s critical that administrators are aware of potential vulnerabilities in LAPS and how to avoid unauthorized users from either viewing passwords or altering settings on accident.

Integrated Approach to Data Security

The proper configurations shouldn’t be your only line of defense against LAPS compromise. You should also strongly consider implementing some form of threat detection and response software that will alert you to unauthorized access or users. It should be part of a much broader data protection platform you use to safeguard LAPS and all other aspects of your IT ecosystem.

Microsoft LAPs FAQs

Below are a few common questions and topics surrounding Microsoft LAPS, how it works, and the level of security.

Is Microsoft LAPS secure?

Yes. As long as permissions are locked down in the attributes of the Active Directory, Microsoft LAPS is extremely secure. Any systems or software can be targets for hackers, but with the proper precautions and setup LAPS is a secure product.

What is LAPS in computing?

From a purely technical standpoint, the Microsoft LAPS solution is a Group Policy Object client-side extension (CSE) designed for ongoing password security. It operates through the Active Directory of your system, generating new passwords on a regular basis.

What is Microsoft LAPs used for?

Microsoft LAPS is used in order to prevent stale, duplicate, or overly simplistic passwords. These situations leave systems vulnerable to either intentional or accidental data breaches. LAPS ensures that passwords change regularly and are adequately complex.

How much does LAPS cost?

Nothing. LAPS can be downloaded for free directly from Microsoft’s website and is a tool the company provides to Windows and enterprise users as an added password security measure. Your only cost is time and resources spent installing, configuring, and managing LAPS.

Closing Thoughts

Stale and duplicate passwords traditionally present enormous vulnerabilities to IT data security. Microsoft LAPS is a fantastic tool to ensure neither of these is an issue on an ongoing, automated basis. By installing LAPS — and limiting permissions only to authorized administrators — you can ensure that users will never gain unauthorized access to your system with old passwords.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

what-is-privileged-access-management-(pam)?
What is Privileged Access Management (PAM)?
Privileged access management is the process to monitor and secure your most sensitive user accounts. Keep reading to find out how to use PAM to keep your data safe.
revealed:-secret-piis-in-your-unstructured-data!
Revealed: Secret PIIs in your Unstructured Data!
Personally identifiable information or PII is pretty intuitive. If you know someone’s phone, social security, or credit card number, you have a direct link to their identity. Hackers use these...
securityrwd-–-github-secret-scanning-could-create-false-sense-of-security
SecurityRWD – GitHub Secret-Scanning Could Create False Sense of Security
Microsoft recently announced they would be adding another layer of security to their popular code repository, GitHub, by scanning for "secrets" (API tokens, access keys, etc. inadvertently saved in the platform). However, as Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team discuss, this positive first step shouldn't lull developers into a false sense of security. Listen in to hear why it's so important not to let your guard down when securing critical cloud apps and data.
securityrwd---introduction-to-aws-identity-and-access-management-(iam)
SecurityRWD - Introduction to AWS Identity and Access Management (IAM)
Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team compare and contrast Amazon Web Services Identity and Access Management against a traditional on-prem setup with Active Directory. Listen in as the team discusses how AWS IAM goes beyond simple user and group management to creating an entire network and defining access to network resources and infrastructure.