March 21, 2019

Local Administrator Password Solution (LAPS) – WST


Local Administrator Password Solution (LAPS) addresses the basic issue where the same local administrator accounts are used on all hosts throughout the organization, leaving them susceptible for “Pass-the-Hash” and credential re-use attacks.

LAPS does this by leveraging a combination of an application installed on a Domain Controller, Active Directory (AD) Templates, and PowerShell modules.

The LAPS password is stored as the ms-Mcs-ADMPwd AD attribute and associated with a domain computer.  LAPS credentials are also passed using Kerberos encryption by default.

Additional benefits include automated password rotation of the admin password, and – if the administrator deems appropriate – can allow access to the password where appropriate, such as to help desk staff.  Another practical example would possibly be allowing a user access to an elevated account if they are in a bind without compromising local password (e.g., the user is out of the office and unable to access VPN due to a corrupt VPN client installation, requiring re-installation with elevated credentials).  Then after network connectivity is restored, the LAPS password can be automatically changed once Group Policy updates or via PowerShell.

To read more about LAPS and to download all the associated components and documentation, check out this TechNet article.

Past Weekly Security Tips – WST