Local Administrator Password Solution
This solution automatically manages local administrator passwords on domain-joined computers, so that the password is:
Unique on each managed computerRandomly generatedSecurely stored in AD infrastructure.
Its features include: Security:
Random password that changes automatically regularlyPassword is protected during the transport via Kerberos encryptionPassword is protected in AD by AD ACLEffective mitigation of Pass-the-hash attack
Manageability:
Configurable password parameters: age, complexity, lengthAbility to force password resetSecurity model integrated with AD ACLsEnd use UI can be any AD management tools of choice,PowerShell and Fat client are providedProtection against computer account deletionEasy implementation and minimal footprint
Extensibility:
Additional encryption of password stored in ADPassword historyWeb UI.
Domain administrators who use this solution can determine which users, such as helpdesk administrators, are authorized to read passwords. Once you have downloaded the zip file for your system, viz. 32-bit or 64-bit, from Microsoft Download Center, extract them from the Installers.zip to a folder. There will be two files, AdmPwd.Setup.x64.msi and AdmPwd.Setup.x86.msi. You may also want to download the LAPS Datasheet, Operations Guide and Technical Specifications documents, as it gives a lot of information on how to use them too. If you need additional information, visit Microsoft.