LAPS is a Client Side Extension (CSE) to Group Policy released for free by Microsoft. It creates two new protected attributes in your Active Directory schema for computer objects which are used to store the computer's Local Admin password and expiry information. Then a small client DLL is deployed to your managed Windows computers and sits unused until a Group Policy refresh operation occurs. At that point it performs its work:
Not really. Think of the term "client" in its loosest sense, it is just a small 146kb file on each computer which does literally nothing until a Group Policy refresh asks it to carry out its work. So most of the time it isn't using any resources at all (apart from a tiny bit of disk space).
Windows accounts are stored hashed (one-way encrypted) and are, in principal, accessible to anyone with access to that computer. A pass-the-hash attack uses this hash in place of the actual password to access resources on other computers on your network with the same account/password.
LAPS mitigates the threat of pass-the-hash attacks by ensuring each computer has a different password (and therefore different hash) for their Local Administrator account.
Microsoft released LAPS completely free. You can download it along with its technical documentation from here: https://www.microsoft.com/en-us/download/details.aspx?id=46899
LAPS is packaged with a PowerShell module and a basic Windows client UI for retrieving and manually expiring passwords.
For more information on Microsoft LAPS, please see the links below.
Why aren't you using Microsoft LAPS yet?