Windows Local Administrator Password Solution (Windows LAPS) is a [[Windows]] feature that automatically manages and backs up the password of a [[local administrator]] account on your [[Entra Join|AzureAD Joined]] or Windows Server [[Windows Active Directory (AD)|Active Directory]]-joined devices. You also can use Windows LAPS to automatically manage and back up the [[Directory Services Restore Mode (DSRM)]] account password on your [[Windows Domain Controller (DC)|Windows Domain Controller]]. An authorized administrator can retrieve the DSRM password and use it. [Manage Windows LAPS with Microsoft Intune policies | Microsoft Learn](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview) # Active Directory ## Requirements - To use Windows Server Active Directory password encryption, your domain must run at the Windows Server 2016 Domain Functional Level (DFL) or later.^[[Windows LAPS architecture | Microsoft Learn](https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts-overview)] ## Setup Follow this Microsoft guide. ### Update to Windows Server Active Directory schema You have to be either "Schema Admin" or "Enterprise Admin" to run this command. ```PowerShell Update-LAPSADSchema ``` ### Grant the managed device permission to update its password Specific OU: ```PowerShell Set-LAPSADComputerSelfPermission -Identity "OU=Computers,OU=Contoso,DC=contoso,DC=local" ``` Entire domain root: ```PowerShell Set-LAPSADComputerSelfPermission -Identity "DC=contoso,DC=local" ```