How does LAPS work?

LAPS is a Client Side Extension (CSE) to Group Policy released for free by Microsoft. It creates two new protected attributes in your Active Directory schema for computer objects which are used to store the computer's Local Admin password and expiry information. Then a small client DLL is deployed to your managed Windows computers and sits unused until a Group Policy refresh operation occurs. At that point it performs its work:

  1. LAPS retrieves the current expiry date and time for the Local Administrator password on the current computer from Active Directory.
  2. If the expiry is not blank and is still in the future, nothing happens.
  3. Otherwise a new password is required, so LAPS generates one completely randomly according to your specifications (set in Group Policy).
  4. LAPS now attempts to record the new password in Active Directory, along with when the password will next expire.
  5. If that was successful, it will only then actually change the password of the Local Administrator account.

Another client service on my devices?

Not really. Think of the term "client" in its loosest sense, it is just a small 146kb file on each computer which does literally nothing until a Group Policy refresh asks it to carry out its work. So most of the time it isn't using any resources at all (apart from a tiny bit of disk space).

What is a Pass-the-Hash attack?

Windows accounts are stored hashed (one-way encrypted) and are, in principal, accessible to anyone with access to that computer. A pass-the-hash attack uses this hash in place of the actual password to access resources on other computers on your network with the same account/password.

LAPS mitigates the threat of pass-the-hash attacks by ensuring each computer has a different password (and therefore different hash) for their Local Administrator account.

What does LAPS cost?

Microsoft released LAPS completely free. You can download it along with its technical documentation from here: https://www.microsoft.com/en-us/download/details.aspx?id=46899

What management tools come with LAPS?

LAPS is packaged with a PowerShell module and a basic Windows client UI for retrieving and manually expiring passwords.

Further Reading

For more information on Microsoft LAPS, please see the links below.

Why aren't you using Microsoft LAPS yet?

Dispelling Common Myths about Microsoft LAPS