Active Directory · Term

What is LAPS?

LAPS gives every machine a unique, automatically rotated local administrator password, breaking the password reuse that lets one stolen hash unlock an entire network. Here is what LAPS is and how to deploy it safely.

Active Directory · TermAll services
TL;DR

LAPS (Local Administrator Password Solution) is a Microsoft feature that gives every machine a unique, random local-administrator password that rotates automatically, stored in Active Directory and readable only by authorised admins. It directly breaks Pass-the-Hash lateral movement, because a local-admin hash stolen from one machine no longer unlocks any other. It is one of the highest-impact Active Directory hardening steps, with one rule: tightly control who can read the stored passwords.

By John Dill, Red Team Lead, SecureLayer7Updated

What LAPS is

Many networks share one local-administrator password across every machine, so a single stolen local-admin hash unlocks all of them, the fuel for lateral movement.

LAPS ends that. It sets a unique, random password on each machine’s local administrator account, rotates it on a schedule, and stores the current value in a protected attribute in Active Directory that only authorised administrators can read. The modern version (Windows LAPS) is built into current Windows and can also store passwords in Entra ID.

Why it matters and the one caveat

LAPS removes the password reuse that makes Pass-the-Hash so powerful:

  • A local-admin hash dumped from one machine no longer works on the next, because every machine’s password is different.
  • That alone can break a lateral-movement chain at its most common rung.

The caveat is read access: whoever can read the LAPS password attribute can get local admin on those machines. If those read rights are over-granted, an attacker who reaches such an account collects local-admin passwords directly:

  • pyLAPS.py --action get -u user -p pass -d corp.local or BloodHound’s ReadLAPSPassword edge

So LAPS shifts the risk to a small, auditable "who can read it" question.

How to use LAPS well

  • Deploy LAPS everywhere, so every machine has a unique, rotating local-admin password.
  • Restrict who can read the LAPS attribute to the minimal admin set, and audit it with BloodHound (ReadLAPSPassword).
  • Prefer Windows LAPS (built in, supports encryption and Entra ID).
  • Pair with Credential Guard and Protected Users so harvested credentials are scarce in the first place.
  • Monitor for bulk reads of LAPS passwords.

References

  1. [1]MITRE ATT&CK Enterprise Matrix(MITRE)
  2. [2]Microsoft: Best Practices for Securing Active Directory(Microsoft)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.