Installing LAPS

Installing LAPS

7 January 2020 0 By editeur

Update of the active directory schema:

import-module admPwd.PS



Configure the required permissions:

Before starting, it is important to verify that no unauthorized account already has the right to confidential attributes.
So, you must check in the security settings of the OU in question that the option “All rights extended” (Extended rights) is unchecked on unauthorized users:

  • Launch the command below, to give the right to each machine to reset the password of the local administrator account:
Set-AdmPwdComputerSelfPermission -OrgUnit LAPS


  • Launch the command below to authorize a group to read the passwords of machines under the OU named LAPS
Set-AdmPwdReadPasswordPermission -OrgUnit LAPS -AllowedPrincipals "Domain Admins" | ft Name, DistinguishedName, Status


  • Launch the command below to authorize a group to reset the password:
Set-AdmPwdResetPasswordPermission -OrgUnit LAPS -AllowedPrincipals "Domain Admins"


  • Launch the command below to check who has the right to confidential attributes:
Find-AdmPwdExtendedRights -Identity LAPS | Format-Table ExtendedRightHolders

Deploy LAPS on client machines via GPO:

  • Passoword settings: This parameter activates the complexity, defines the length and the lifetime of the password.
  • Name of administrator account to manage: To manage another account via LAPS, it is possible to specify it in this option. Otherwise, the administrator account with SID-500 created by default will be managed via LAPS.
  • Do not allow password expiration time than required by policy: This setting does not allow an expired password to the value already set via GPO.
  • Enable local admin password management: This setting enables or disables LAPS.


How to recover local password

  • Via the attribute editor:
  • Via LAPS GUI in admin mode: