top of page
Copy of data center.jpg

Welcome to ECS LEAD

Your Trusted Microsoft Partner

6 min read

Best Practices for Securing Local Administrator Passwords with LAPS

Why Local Administrator Password Management Matters

The Risks of Default Passwords

Using the same local administrator password across multiple devices is a common practice, but it opens up significant security risks. If just one machine is compromised, an attacker can use those credentials to move laterally across your entire network. This makes it easier for malicious actors to gain control of your systems or access sensitive data.


Three people sitting together, pointing at a laptop screen, working collaboratively on a project or task.

The Role of LAPS

The Local Administrator Password Solution (LAPS) is a tool designed to tackle this issue. It automatically generates unique passwords for local admin accounts on each device and securely stores them in Active Directory or Azure AD. By doing so, it mitigates the risk of password reuse and helps ensure that local administrator accounts remain secure.


Understanding LAPS and Its Benefits

What Is LAPS?

LAPS is a simple, effective tool for managing the passwords of local administrator accounts. It is integrated into Active Directory (or Azure AD) and automates password management, ensuring that each device in your network has a unique, periodically changing password for its local admin account. This prevents attackers from exploiting a single compromised password to access multiple machines.


Key Advantages of LAPS

The key benefits of using LAPS include:

  • Automated password rotation: LAPS automatically changes the local admin password at defined intervals.

  • Unique passwords per device: Each machine in your network will have its own unique administrator password.

  • Secure storage: LAPS stores the passwords securely in your directory, where only authorized personnel can retrieve them.

  • Easy recovery: In case you need to access a machine, LAPS allows admins to retrieve the password from Active Directory or Intune.


Getting Started: Setting Up LAPS

Basic Setup Steps

Setting up LAPS is straightforward. You’ll need to first enable the LAPS feature within your Active Directory or Intune environment. This includes configuring Group Policy Objects (GPOs) to define settings like password complexity, rotation frequency, and expiration policies.

To do this:

  1. In Active Directory, install the LAPS Management Tools.

  2. Extend the AD schema to support the ms-Mcs-AdmPwd attribute, which stores the password.

  3. Configure a GPO that applies LAPS policies to your desired device groups.

For those using Intune, LAPS can be configured within the Intune console. Define the policies and assign them to the device groups you want to manage.


Configuring Password Settings

You can customize various password settings such as:

  • Password length and complexity: Set a minimum length and require special characters to strengthen security.

  • Password expiration: Determine how often the password will change (e.g., every 30 or 90 days).

These settings ensure that the passwords are robust and compliant with your organization’s security policies.


A close-up of a rolled-up diploma next to a blue graduation cap, symbolizing academic achievement and higher education.

Managing Different Device Groups with LAPS

Group Policy for Device Management

LAPS allows you to create custom policies for different device groups. This is particularly useful if you manage devices across multiple locations or departments. By segmenting your devices into specific groups, you can assign tailored LAPS policies that fit the security requirements of each location or department. For example, one group might have stricter password policies than another based on their usage or the sensitivity of the data they handle.


Role-Based Access for Admins

It’s essential to ensure that only authorized personnel have access to the LAPS-managed passwords. Using role-based access control (RBAC) in Intune or Active Directory, you can restrict who can view or reset the local admin passwords. This ensures that administrators can only access the devices they are responsible for, minimizing the risk of unauthorized access to sensitive systems.


How to Set Up LAPS Accounts for Different Device Groups in Intune

Here’s a step-by-step guide on how to set up Local Administrator Password Solution (LAPS) for different device groups in Intune, ensuring that each group has its own LAPS account and permissions.


Step 1: Create Device Groups in Intune for Each Location

  1. Log into the Microsoft Intune portal.

  2. Navigate to Devices > All Devices.

  3. Click Groups > New Group.

  4. Select the group type as Security, and name it according to the location (e.g., "LAPS Devices - Location1").

  5. Assign devices to this group by clicking Members and adding devices that belong to that specific location.


Step 2: Configure LAPS in Intune

  1. In the Intune portal, go to Endpoint Security > Account Protection.

  2. Select Create Policy.

  3. For Platform, choose Windows 10 and later.

  4. For Profile, select Local admin password solution (Windows LAPS).

  5. Click Create, then name the policy (e.g., "LAPS - Location1").

  6. In the Configuration settings, enable the option to back up passwords to Azure AD.

  7. Customize password settings like password complexity and expiration time to meet your organization's security policies.


Step 3: Assign LAPS Policies to Specific Device Groups

  1. Once you have created your LAPS policy, in the Assignments section, select the group you created earlier (e.g., "LAPS Devices - Location1").

  2. Repeat this process for each location, creating a unique LAPS policy for each device group.


Step 4: Create Role-Based Access Control (RBAC) in Intune

  1. In Intune, navigate to Tenant administration > Roles.

  2. Click Create and name the role based on the location (e.g., "LAPS Admin - Location1").

  3. In the Permissions section, add permissions specific to LAPS, such as “Read Local Admin Password” and “Update Local Admin Password.”

  4. Assign users or administrators who should have access to this role.

  5. Under Scope, specify the specific device group for the location, ensuring that the admin role is restricted to the devices in that location.


Step 5: Verify the Setup

  1. Navigate to Devices > Monitor.

  2. Check if the policy has been applied correctly to the devices in each location.

  3. For each location, ensure that only the assigned LAPS admins can access and reset the local admin passwords for the devices in their group.


Automating Account Management with LAPS

Manual vs. Automatic Modes

When configuring LAPS, you have the option to choose between manual and automatic account management modes.

In manual mode, administrators must configure certain aspects of the local admin account, like its creation and name, while LAPS handles password rotation. This offers flexibility if you need to customize how the account behaves.

In automatic mode, LAPS can fully manage the local admin account. It will create the account, name it, and rotate its password according to the policy. This mode is ideal if you want to minimize manual intervention and streamline the process of account management.


Account Tampering Protection

LAPS provides built-in protection against tampering with local admin accounts. Once an account is managed by LAPS, any unauthorized attempts to modify it (such as changing the password or account permissions) will be blocked. This feature ensures that the integrity of the local admin account is maintained, and only authorized changes are allowed.


Security Best Practices for LAPS

Backup and Audit Logging

A key security feature of LAPS is its ability to back up passwords securely. You can configure LAPS to back up local admin passwords to either Active Directory or Azure AD. Once backed up, these passwords can be accessed only by authorized users with the necessary permissions.

Additionally, LAPS provides detailed audit logging, which tracks every password reset and access request. Monitoring these logs allows you to detect unusual behavior, ensuring that any attempts to misuse or gain unauthorized access to admin passwords are quickly identified and addressed.


Password Encryption

To further enhance security, LAPS allows you to encrypt the stored passwords. Encrypted passwords are protected from unauthorized access even if the directory is compromised. This extra layer of security is especially important for organizations that handle sensitive or regulated data.


Common Troubleshooting Tips

Sync and Policy Issues

When using LAPS, you may encounter sync or policy application issues. This usually happens if a device fails to pull the latest policy from Active Directory or Intune. To resolve this, ensure that the devices are properly enrolled and that the necessary GPOs are applied.


A smartphone at the center surrounded by various IoT devices like smart bulbs, cameras, and sensors, with connection lines illustrating network communication between devices.

Checking Logs and Verifying Policies

You can easily verify that LAPS is functioning correctly by reviewing the event logs on managed devices. These logs will show whether the LAPS policies have been applied and if the password has been rotated as expected. Additionally, check the LAPS-specific logs in Active Directory or Intune to monitor password changes and access events.


How ECS LEAD Can Help with LAPS Implementation

At ECS LEAD, we understand that managing local administrator passwords across multiple devices can be challenging, especially for organizations with complex infrastructures. Our team specializes in implementing robust security solutions, including LAPS, tailored to your organization’s needs. We work closely with you to design, deploy, and manage LAPS policies that keep your systems secure while simplifying administrative tasks.


If you're looking for expert assistance in setting up and managing LAPS for your organization, feel free to reach out to us. We’re here to help you safeguard your local admin accounts with minimal disruption to your operations.

A sleek and modern office environment with a cool blue tone, featuring rows of clean white workstations and comfortable office chairs. The floor has a glossy finish that reflects the light streaming in from the large windows, creating a bright and airy atmosphere. The office is currently empty, highlighting the organized and minimalistic design aesthetic.

Find Your Cloud Fit

Looking for the ideal cloud solution that elevates your business? Our experts are ready to guide you to the perfect match. Whether it’s clarifying options or addressing specific needs, we’re here to streamline your journey to the cloud.

bottom of page