The Microsoft Local Administrator Password Solution (LAPS) allows organizations to securely rotate the local Administrator passwords for their desktops, laptops, tablets, and servers. In this article, I’ll cover several of the most frequently asked questions I’ve received about LAPS.

Does the Microsoft Local Administrator Password Solution (LAPS) require an agent? I really don’t want to install yet another agent on my computers. (Special thanks to reader Mike for this question.)

No, LAPS does not require an agent. For LAPS to function on workstations and servers, a Group Policy Client Side Extension (CSE) will need to be installed. The Group Policy CSE is not an agent. Typically, an agent is a service that runs at system startup and continues to run in the background to provide telemetry or some other data back to a central system such as System Center Configuration Manager, Operations Manager, or an antivirus monitoring platform. The CSE only runs at Group Policy refresh cycles.

Local Administrator Password Solution Setup - Manual install of Group Policy CSE
Local Administrator Password Solution Setup - Manual install of Group Policy CSE

Can I use LAPS without installing the Active Directory schema changes?

No, you cannot use LAPS without installing the AD schema changes. The schema update adds the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes that LAPS requires.

Does LAPS require an additional infrastructure such as additional application servers or SQL?

No. LAPS requires two additions to your AD schema. LAPS also requires that an additional Group Policy Client Side Extension (CSE) be installed on all of the managed computers. You will not need to run an additional application server or SQL server to use LAPS.

Is storing the Administrator password in AD in plain text secure?

The ms-Mcs-AdmPwd attribute in AD is a confidential attribute protected by an Access Control List (ACL). Only users with permissions to view this attribute can view the password (that is, Domain Admins and anyone else they’ve delegated access to). Keeping the same local Administrator password across large groups of systems is a much bigger security risk.

If the passwords are stored in AD, can’t anyone with AD access view them?

No, only users with adequate permissions can view the stored passwords. You can use the Find-AdmPwdExtendedRights PowerShell cmdlet to view which groups and users can view the stored passwords. You can use the Set-AdmPwdReadPasswordPermission PowerShell cmdlet to give groups and/or users access to view the passwords.

Find-AdmPwdExtendedRights output example

Find-AdmPwdExtendedRights output example

Can I require two-factor authentication (2FA) to view the passwords LAPS has stored in AD?

Access to the ms-Mcs-AdmPwd attribute is controlled with a user’s regular AD credentials. You would need to implement 2FA for all user logons that have access to that data in AD. You won’t be able to require 2FA for just accessing that attribute without implementing some kind of custom solution.

What happens if an admin’s account is compromised? Wouldn’t the compromised account have access to the stored passwords?

If a user with adequate rights to view the ms-Mcs-AdmPwd attribute is compromised, that account could be used to pull all of the local Administrator passwords from your domain (or subset of computers if the user account can only view Administrator passwords for specific OUs in the domain). Typically, this kind of account would already have had enough rights to reset the password remotely on any of those computers or wreak other havoc with the delegated privileged access.

The upside of having LAPS in place is that you can now force a password reset on all systems that could have a compromised Admin password and then see in AD if they’ve updated.

Can LAPS manage the password of the local Administrator account and a custom local administrator account with a different name at the same time?

You can manage either the default Administrator account (including if the account has been renamed) or a secondary local Administrator account that you’ve created, but not both.

What happens if the computer loses its connection/trust with Active Directory? Will LAPS change the local Administrator password on the computer, but fail to update it in AD? If this happens, I won’t know the local Administrator password. (Special thanks to reader Ken D. for this question.)

The password that is stored in AD is the computer’s current password—even if the password should have expired. In this situation, the computer’s Group Policy Client Side Extension (running in the Local SYSTEM context) would be unable to check the expiration date stored in AD. When that happens, the password change process would stop. You would need to re-establish the computer’s AD trust before the local Administrator password changes again.

Can LAPS manage the local Administrator passwords on non–domain-joined machines?

No. Computers must be domain-joined to be managed by LAPS.

Can LAPS change the stored password for a service if it is using the local Administrator account?

No. LAPS will only update the local Administrator password. It will not update the service to use the new password.

Aren’t there more elaborate solutions that can do more than just randomize the local Administrator password? What if I need to rotate passwords for service accounts or do something more advanced?

Microsoft LAPS is designed to randomize passwords of the local Administrator (or a custom Administrator account) for domain-joined systems without the need to implement additional infrastructure. This gives organizations a way to randomize those local passwords to prevent large numbers of computers from being vulnerable to Pass-the-Hash attacks or from being compromised if that password becomes known. Yes, much more elaborate solutions exist if you’re willing to pay for them and take the effort to implement additional infrastructure.

What if my question isn’t listed here?
Feel free to ask your question in the comments section below!

  1. Avatar
    MingN 8 years ago


    We are using SCCM to deploy LAPS CSE to managed computers. Is it possible to push along in the same package of LAPS CSE deployment the creation of the new ExtensionDebugLevel REG_DWORD to enable additional logging?

    I am aware that the {D76B9641-3288-4f75-942D-087DE603E3EA} will only exist after the LAPS CSE has been installed on computers.

    How can I achieve that via SCCM?


    • Avatar Author

      Unfortunately, I don’t use SCCM enough to know how to do that. You can create any Registry entry you want… you don’t have to depend on the CSE to be installed for it to be on the system. If these are domain-joined systems, I’d probably use Group Policy Preferences. If you want to use SCCM, create a secondary package that runs a script to add the Registry entries and make it dependent on the LAPS CSE install.

    • Avatar
      asd 7 years ago

      You can create a batch file and deploy it using the reg add command with the correct details after the laps client has been installed

  2. Avatar
    MingN 8 years ago

    In an environment where there will be many management computer (each service desk personnel), then there is no need to install the GPO Editor templates option, is this correct?

    From my understanding GPO editor template tool only need to be installed once (on a management computer, not DC) to get the LAPs administration template files to be used in (copy-to) central store GPO.

    Other management computers only need to have FAT client UI & Powershell module installed. correct?



    • Avatar Author

      Correct… you only need the Group Policy ADMX files on computers that will edit the policy for LAPS. If your service desk personnel are going to need to view passwords and force updates/resets, yes… they’ll need the client UI and PowerShell module installed.

  3. Avatar
    Thomas H. (Rank ) 8 years ago

    Problem with LAPS I hope you can clarify.   The company I work has recently implemented LAPS. However I think there may have been unforeseen issues that weren’t planned for.  We have a policy that if a pc hasn’t communicated to a domain Control for 2 months it is scavenged and drops off the Domain.  We have users that work from home via VPN and for some reason they sometimes fall off the Domain.  I have found that if a PC falls of the domain we are unable to log in as Local Admin with LAPS and are left with no choice but to re-image.  I am not a system/domain admin but a desktop support tech who has to tell the user we can’s recover their data.  So wanted to know if there is a solutions to resolve this situation.

    • Avatar Author

      My initial thought is that these PC’s may not be communicating with Active Directory like they should be. I’d start there and make sure that they’re communicating like they’re supposed to be. 2 months seems really low to me… I work in Higher Ed and it is very normal for a computer to go longer than 2 months without connecting back in to campus. Your organization may want to ensure that the Active Directory Recycle Bin is enabled and the tombstoneLifetime is set to something longer than 60 days so you can recover those objects. It would be much easier than using something like DaRT to reset the password and then re-adding them to AD.

  4. Avatar
    Shawn 8 years ago

    Thomas – we have the same issue. Without restating, how does one recover a LAPS generated password or reset one on a client computer with a trust issue that no longer exists in AD anymore?
    We currently blank passwords on Win 7 boxes with old school 3 party disks and hack our way into Win 10 clients as well.  I saw your comment about DaRT and MDOP with Software Assurance, is this the way that MS wants us to manage the issue?

    • Avatar Author

      If you’ve got computers that are losing their trust with AD, you’ve got a bigger issue you need to solve. You shouldn’t be needed to do an offline edit regularly to get back into the boxes. Have you investigated why you’ve got boxes losing their trust with AD? In 10 years, I can think of maybe two times it happened to me in my old environment.

  5. Avatar
    Roger Kagan 8 years ago

    I am doing some testing.

    What about using LAPS for the DSRM password?

    It seems to work so far.


  6. Avatar
    Bberies 8 years ago

    We have push out LAPS to most computers and majority of them seem to be good.

    However, there are some computers out there that also have the GPO CSE  installed and received the LAPS gpo with the relevant SELF permission set (same OU as the rest that are working), but they the two ms-Mcs-AdmPwd & ms-Mcs-AdmPwdExpiration are not showing in the computer object (in attributes editor).

    What could be the issue?


  7. Avatar
    Bberies 8 years ago

    To add more info on my above question –

    After few reboot, the ms-Mcs-AdmPwdExpiration  is now showing up in attributes editor of the computer object.

    However, ms-Mcs-AdmPwd  still missing.

    Force a password change via LAPS UI. it said Password reset request was successful.

    the ms-Mcs-AdmPwd still missing.

    note: The Local Administrator Account password of this VM has been manually changed before LAPS was implemented.

    Please shed some lights.


  8. Avatar
    Usaid 8 years ago

    I implemented solution and the application can set/reset password for only machine, where I have installed both fat client and CSE both, but not working for other machine, on which I have installed only CSE, saying ms-Mcs-AdmPwd <not set>

  9. Avatar
    Jeremy 7 years ago

    I am currently running test on LAPS for the company i work for… Is there a way to rename and enable/ disable the Admin accounts from LAPS group policy? Like I said We are testing the software and DO NOT want to mess with the local group policies just the LAPS GP

    • Avatar Author

      I’m not sure I totally understand what you’re trying to do.  When I originally tested LAPS, I created a new sub-OU with the computers I was testing with.  I linked the LAPS GPO there and it only impacted those test computers.  It still allowed them to get all the policy they would normally get.

  10. Avatar
    Red 7 years ago


    I’m in a corporate environment and we want to tesl LASP but all our PC have the built-in Administrator account disabled and every PC has local administrator account, with a different name for every PC.

    Is this somehow supported? Does LAPS recognize an account with administrative privilege with different name for every PC? And what about if a PC has two local administrative account ?





    • Avatar Author

      Obfuscating the local Administrator account isn’t really security.  Enumerating that username is fairly trivial.  You’ll need to switch to the standard local Administrator account or start using a single custom username to use LAPS.

  11. Avatar
    Brent 7 years ago


    i have tested the LAPS in our testdomain. It is work perfect. Also change the password works correct. (After gpudate) but for machine behind a RODC i become a error “Could not get computer object from AD:Error 0x80070051” I have also set the FAS for RODC to replicate the attribute for  ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime



    • Avatar Author

      I haven’t tested with a RODC, but LAPS is going to have to write data back to a DC.  If it can’t do that, it can’t update the stored password.

  12. Avatar
    Jeff 7 years ago

    Is there anyway to use powershell to run through all computers to see which, if any, LAPS ms-Mcs-AdmPwd didn’t get put in as it should have through a GPO?

  13. Avatar
    Randy Smith 7 years ago

    I am having trouble finding an answer to this, as I am just starting the venture into using this application. Does the admin GUI need to run off of a DC? Or can I just use domain admin credentials somewhere to use the GUI on a domain workstation?

    • Avatar
      Andre 7 years ago

      @Randy Smith

      Had this same question. Short answer is No. LAPS doesn’t need to be installed on a DC.

      You will need to install the FAT client and GP extensions on a computer. Then you will want to copy over the .admx and .adml group policy extensions into the correct sysvol and sysvol\en-us folders on your central share from whichever PC you do install it upon.

      Otherwise you won’t be able to configure the GPO.

      • Avatar
        Aaron 6 years ago

        hi, sorry , a bit late to the party but I’ve a follow up question to this. The install of the management software seems pretty redundant once in, is that correct? By this i mean, if the server that the management software was installed on suddenly died or we were in DR scenario where Site A with the management server was located, there would be no impact on being able to retrieve/set passwords?

        And all we would have to do was install the management software on another server if we wanted to make any changes to the GP template?

  14. Avatar
    Garrett Petschke 7 years ago

    I’m in the process of installing LAPS at the organization that I work for.  I have two questions…

    1. If you have a secondary custom local admin account, can you deploy a second GPO for LAPS to manage that?

    2. For PCs that are being managed, can the local admin account become locked when the LAPS generated password is entered incorrectly multiple times?  What are the steps to recover from this, if so?

    • Avatar Author

      No.  You can use local Administrator or a custom account, not both.
      It would depend on the policy you’ve set on the machine.  Recovery would be the same for any locked out account.

  15. Avatar
    Werner 7 years ago

    We are using LAPS for some time in our environment. We also have a lot of virtual servers and using snapshots from time to time for updating applications. I already faced a problem that the password was changed after the snapshot and that the password for the computer also changed. We wanted to go back to the snapshot. The result was a server that you can’t logon anymore, because the computeraccount had a newer password (no trust anymore) and the local password was also newer. Is there a way to get the old local password?

    • Avatar Author

      Unless you’re using a third-party application or writing something in PowerShell to regularly dump the passwords, nope.

  16. Avatar
    Tim 7 years ago

    What if the userer changes the local admin password himself?
    Is the password mirrored to AD or is the password overwritten from the one set in AD?

    Thank you!

    • Avatar Author

      Nope.  If a user with local Admin rights on the computer changes the password, you no longer know the local Administrator password on the system.

  17. Avatar
    sadiq 7 years ago

    After installing the LAPs, I got this problem. please help me to fix this problem…..Thanks

    User Name

    Client IP Address

    Client Host Name

    Domain Controller

    Logon Time
    Nov 18,2016 02:15:29 PM

    Event Type

    Failure Reason
    Bad password


    Kerberos pre-authentication failed.

    Logon Service


    Event Number

    Event Code


    • Avatar Author

      This isn’t terribly useful without context.  Is this on the client or the server?  What other steps have you performed?

  18. Avatar
    Gandhasree 7 years ago



    I have configured LAPS in my environment. After the configuration, LAPS UI is now showing the password

    Everything is properly configured

  19. Avatar
    CMAN 7 years ago

    kyle or anyone?

    what happens if the DC is down how can you read the passwords?

    • Avatar Author

      DC? Singular?  You can’t read the passwords if the DC is down.  Why do you only have one DC?

  20. Avatar
    Ren 7 years ago

    Hello, i’m not sure if anyone encountered same issue am having. I’ve setup LAPS to our domain. Everything looks fine. I see the attribute with the password and security is also setup and delegated. However, if i use the password stored in attribute, the password does not seem to work. Please advise.

  21. Avatar

    Hi Ren,

    Have you tried setting a new expiration time through LAPS UI? Choosing a date in the past then restarting the client will force a new password to be set.

    I have noticed that a newly imaged machine (without removing the object from AD) will show the old password in LAPS but it won’t work until I set a new one.

    • Avatar
      Ren 7 years ago

      Hello Andre,

      I appreciate your response. I’ve tried setting a new expiration choosing the date in the past, waited half day and run gpupdate, restarted the machine, checked to make sure gpo is applied but still the password in ADUC does not work. I’ve tried setting a new expiration and this time the date in the future but same thing.

      Please advise.


  22. Avatar


    Strange… When you set the expiration to a date in the past, after restarting the client, did the password in ADUC/LAPS UI change? When you look at your group policy scope and filtering is the computer object subject to your LAPS policy?

    If you have another administrator account you can log in with you could open an elevated command prompt and run “gpresults /r”. Verify under the Computer Settings > Applied Group Policy Objects section that you see your LAPS policy.

    It may be the case that the computer object is not in the correct OU or group.

    • Avatar
      Ren 7 years ago

      I agree, very strange. I searched everywhere if i missed something and i even reconfigured it again but same thing.

      -Yes the password shows in ADUC.

      -Yes the password changed after i set the expiration to past.

      -Yes the policy is applied after running gpresult /r.

      -Under security filtering, computer is added and made sure the “apply group policy” is checked on.

      -I enforced LAPS GPO.

      -LAPS is installed on the machine.

  23. Avatar


    Hmm, it seems like you’re doing everything correctly.

    It may sound dumb but are you typing in the admin password? I prefer to use Remote Desktop, then copy/paste the password, as I find it difficult to distinguish between some of the characters.

    And the account you’re trying to log into is the built in local administrator (assuming you didn’t point LAPS at a different account) using “.\administrator” to prevent it from trying to use a domain account.

    Other than that I’m running out of ideas for you to try, sorry.

    • Avatar
      Ren 7 years ago

      Yes im typing the password and i did try copy and paste

      We are not using the builtin local admin. Could that be the issue? I see documents that you specify the local admin name on laps gpo and it should work.

      No worries. I appreciate your time.

      • Avatar Author

        Sounds like that is your problem.  If you’re not using the local Administrator account, you have to specify the username of the account in the GPO.

        • Avatar
          Ren 7 years ago

          Hello Kyle, i did specify the the username of our local admin account but that didn’t help.

  24. Avatar
    Ren 7 years ago

    Please Help!

    When i issued the command “Set-AdmPwdComputerSelfPermission -OrgUnit <OU where the Client Machines are Stored>”  

    I get below Error….

    PS C:\windows\system32> Set-AdmPwdComputerSelfPermission -OrgUnit “OU=Computers,OU=Managed,DC=domain,DC=ca”
    Set-AdmPwdComputerSelfPermission : The object does not exist.
    At line:1 char:1
    + Set-AdmPwdComputerSelfPermission -OrgUnit “OU=Computers,OU=Managed,DC=domain, …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Set-AdmPwdComputerSelfPermission], DirectoryOperationException
    + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.DelegateCom

    • Avatar Author

      The error is right there: “The object does not exist.”  Does that OU actually exist or is that actually a folder in your AD?

  25. Avatar
    ryan pietrow 7 years ago

    Hello im having an issue extending the schema, when i do the update-Admpwdadschema command this comes up:

    PS C:\Users\administrator.ICT> update-admpwdadschema
    update-admpwdadschema : An operation error occurred.
    At line:1 char:1
    + update-admpwdadschema
    + ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Update-AdmPwdADSchema], DirectoryOperationException
    + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.UpdateADSchema

    Ive ran as admin, checked user privileges and registered a dll, schmmgmt.dll, that a guy said might fix it.

    any ideas?

Leave a reply to Garrett Petschke Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account