LAPS – Local Administrator Password Management

  1. Install AdmPwd.Setup.x64.msi  on a Management Server with all options
  2. Install same AdmPwd.Setup.x64.msi  files on managed machines

Using script – Example:  msiexec /i \\server\share\LAPS.x64.msi /quiet

Alternative method of installation to managed clients is to copy the AdmPwd.dll to the target computer and use this command:

regsvr32.exe AdmPwd.dll

  1. To update the schema:

Import-module AdmPwd.PS

Update-AdmPwdADSchema

  1. Remove extended permission

Open ADSIEdit

  1. Right Click on the OU that contains the computer accounts that you are installing this solution on and select Properties.
  2. Click the Security tab
  3. Click Advanced
  4. Select the Group(s) or User(s) that you don’t want to be able to read the password and then click Edit.
  5. Uncheck All extended rights
  6. Adding Machine rights

Set-AdmPwdComputerSelfPermission -OrgUnit Servers (

<name of the OU to delegate permissions>)

  1. Adding User Rights

Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

Set-AdmPwdResetPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

  1. Configure GPO for LAPS
  2. You can get password with GUI or Powershell:

Get-AdmPwdPassword -ComputerName <computername>

You can reset the password expiration date with GUI or with PoweShell:

Reset-AdmPwdPassword -ComputerName <computername> -WhenEffective <date time>

Leave a Reply 0

Your email address will not be published. Required fields are marked *