# LAPS (Local Administrator Password Solution)
[Local Administrator Password Solution (LAPS)](https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview) "is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it."

## Quick install
1. Create new GPO in `Group Policy Objects` called (for example) `LAPS-workstations`
2. Go to `Computer Configuration > Policies > Administrative Templates > System > LAPS`
3. Edit the following settings:
* `Name of administrator account to manage` - don't actually configure this setting if you just want to admin the local named Administrator account, but if your company's local admin account is named something like `ttadmin` then *do* enable this setting and specify that account.
* `Configure password backup directory` - choose `Active Directory`
* `Password Settings` enable it and set the settings you like (super long/strong password, rotated aggressively, etc.)
* `Enable Password Encryption` (optional) - turn it on to encrypt passwords going across the wire
* `Configure size of encrypted password history` (optional) - and change it to an appropriate number (max 12)

4. In PowerShell, under the context of an account that's part of `Domain Admins` and `Schema Admins`, run:

```
Update-LapsADSchema -verbose
````

Answer `A` for `All`.

5. Allow computers in OU(s) to self-reset their LAPS passwords when needed:

```
Set-LapsADComputerSelfPermission -Identity 'OU=ComputersAndServers,DC=tangent,DC=town'
```

6. Run `gpoupdate /force` on the DC and then reboot LAPS-controlled systems
7. Use `dsa.msc` to view/change LAPS passwords in the GUI, or `get-lapsadpassword -identity laptop-777 -asplaintext` in PowerShell.

## Troubleshooting
If a LAPS-controlled machine isn't picking up a password, go to `Event Viewer > Applications and Services Logs > Microsoft > Windows > LAPS > Operational Logs`.  If you see error 10066, it probably means you need to run the `SetLapsADComputerSelfPermission` command above.

## Video demo
Here's a Tuesday TOOLSday video we did over at [7MinSec.club](https://7minsec.club) about installing LAPS in ~20 minutes:

<div style="padding:75% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/1135818729?badge=0&amp;autopause=0&amp;player_id=0&amp;app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share" referrerpolicy="strict-origin-when-cross-origin" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="LAPS (Local Administrator Password Solution) quick install"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>