Local admin passwords are the same on every PC, how do I secure that?
A local admin password identical everywhere is a disaster waiting: one stolen account equals lateral movement across the estate. Windows LAPS (built-in from Win 11/Server 2019 updates) fixes it.
Try this first
- 1Check which variant: legacy Microsoft LAPS (download), or Windows LAPS (built-in from KB5025229+ on Server 2019/2022, default in 2025 and Win 11). For new builds choose Windows LAPS.
- 2Schema extension: for on-prem AD run Update-LapsADSchema. For Entra-only or hybrid you can store in Entra ID.
- 3GPO or Intune policy: configure local admin password rotation (e.g. every 30 days) with complexity and length.
- 4ACLs: decide which security group can read the password from AD/Entra. Not all helpdesk admins, only a specific break-glass group.
- 5Test: rotate manually on a test PC (Reset-LapsPassword), read it (Get-LapsADPassword), use it for a test login.
When to bring us in
For servers and critical workstations combine LAPS with just-in-time admin via Privileged Access Management (PIM in Entra or third-party PAM). Plain LAPS is good, JIT PAM is better.
See also
- One DC or two DCs for an SMB office?Two is almost always the right answer; one DC is a single point of failure for logon, DNS and GPOs.
- Should I split FSMO roles across two DCs?For a small domain all on one DC is fine; with two DCs splitting is tidier but not required.
- How do I know my AD replication is healthy?Replication errors creep in silently; they only surface when logins or GPOs misbehave.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.