Local administrator accounts are still one of the biggest attack vectors in enterprise environments—and in my experience, one of the hardest habits for IT teams to break.
I’ve seen environments where every support technician had permanent local admin access “just in case,” shared passwords existed across hundreds of machines, and no one could confidently answer who last used admin rights. It works—until it doesn’t. The moment ransomware or lateral movement hits, those same shortcuts become your biggest liability.
This is exactly where Windows LAPS (Local Administrator Password Solution) has evolved into a must-have control, especially in modern Microsoft Entra ID (Azure AD) environments.
In this article, I’ll walk through:
- How to implement Windows LAPS properly (not just enable it)
- How to remove persistent local admin access safely
- How to enable secure, auditable elevation using approved tools
- Real-world pitfalls and what actually works in production
Quick Fix Summary
If you’re short on time, here’s the practical path forward:
- ✅ Deploy Windows LAPS with Entra ID or Active Directory backup
- ✅ Remove all persistent local admin group memberships via policy
- ✅ Use Just-In-Time (JIT) elevation tools (e.g., Endpoint Privilege Management)
- ✅ Audit and monitor all privileged access regularly
- ✅ Block shared/local admin password reuse across endpoints
Why Persistent Local Admin Access Is a Problem
The Real Risk (From Experience)
In multiple environments I’ve audited:
- Same local admin password used across entire fleets
- IT staff added permanently to local Administrators group
- No logging of privilege usage
- Credential dumping tools exploiting cached admin tokens
Once an attacker gets one local admin credential, lateral movement becomes trivial.
What Is Windows LAPS (Modern LAPS)
Modern Windows LAPS (built into Windows 10/11 and Server) replaces the legacy solution and integrates directly with:
- Active Directory
- Microsoft Entra ID
Key Features
- Unique local admin password per device
- Automatic password rotation
- Secure storage in AD or Entra ID
- Role-based access to retrieve passwords
- Auditing of password access
Step-by-Step: Implement Windows LAPS (Entra ID / Azure AD)
Step 1: Enable LAPS in Entra ID
- Go to Microsoft Entra Admin Center
- Navigate to: Devices → Device Settings
- Enable:
- Local admin password solution (LAPS)
Step 2: Configure LAPS Policy via Intune
- Go to Microsoft Intune Admin Center
- Navigate to: Endpoint Security → Account Protection → Create Policy
- Select:
- Platform: Windows 10 and later
- Profile: Local admin password solution (Windows LAPS)
Key Settings to Configure
| Setting | Recommended Value |
|---|---|
| Backup Directory | Azure AD |
| Password Age | 7–30 days |
| Password Length | 14+ characters |
| Complexity | Enabled |
| Administrator Account | Rename or custom |
Step 3: Assign Policy to Devices
- Target:
- All corporate devices OR
- Pilot group first (recommended)
Step 4: Verify LAPS is Working
On a device:
Get-LapsDiagnostics
Check password retrieval in Entra:
- Devices → Select Device → Local Admin Password
Step-by-Step: Remove Persistent Local Admin Access
This is where most environments fail—not in deploying LAPS, but in removing bad habits.
Step 1: Audit Current Local Admin Membership
Run:
Get-LocalGroupMember -Group "Administrators"
Or remotely:
Invoke-Command -ComputerName PC01 {
Get-LocalGroupMember -Group "Administrators"
}
Step 2: Remove Unnecessary Accounts
- Remove:
- Domain users
- IT staff accounts
- Service accounts (unless required)
Step 3: Enforce via Policy (Intune or GPO)
Use:
Intune:
Endpoint Security → Account Protection → Local User Group Membership
Set:
- Administrators group = controlled list only
Step 4: Validate Removal
net localgroup administrators
Implement Secure Elevation (Instead of Permanent Admin Rights)
Removing admin access without a replacement will break operations. This is where many rollbacks happen.
Option 1: Endpoint Privilege Management (Recommended)
Microsoft Intune Suite provides:
- Just-in-time elevation
- Application-based elevation
- Approval workflows
- Full audit logging
Option 2: RunAs / Temporary Elevation
Example:
Start-Process powershell -Verb runAs
Not ideal for enterprise control but useful in small environments.
Option 3: Third-Party PAM Tools
Common enterprise options:
- CyberArk
- BeyondTrust
- Delinea
Real-World Implementation Strategy
Here’s what actually works (based on real deployments):
Phase 1 – Visibility
- Audit all local admin access
- Identify break-glass accounts
Phase 2 – LAPS Deployment
- Deploy to pilot group
- Validate password rotation
Phase 3 – Gradual Removal
- Remove admin rights from IT staff
- Monitor impact
Phase 4 – Elevation Rollout
- Implement JIT tools
- Train support staff
Phase 5 – Enforcement
- Lock down local admin group via policy
Additional Tips / Pro Tips
✅ Pro Tip: Rename the Default Administrator Account
Attackers target known names like “Administrator”
⚠️ Warning: Don’t Remove Admin Rights Too Quickly
You’ll break:
- Software installs
- Legacy apps
- Support workflows
Always phase changes.
✅ Pro Tip: Monitor LAPS Access
Track who retrieves passwords:
- Entra audit logs
- SIEM integration
⚠️ Warning: LAPS Alone Is NOT Enough
LAPS solves password reuse—not privilege misuse.
You still need:
- Conditional Access
- Device compliance
- Endpoint detection & response (EDR)
✅ Pro Tip: Combine with Attack Surface Reduction (ASR) Rules
This reduces:
- Credential dumping
- Privilege escalation exploits
Troubleshooting Common Issues
LAPS Not Rotating Passwords
Check:
Get-LapsDiagnostics
Common causes:
- Policy not applied
- Device not Azure AD joined
- Incorrect permissions
Cannot Retrieve Password
Check:
- RBAC roles in Entra ID
- Device compliance status
Users Still Have Admin Rights
Check:
- Conflicting GPOs
- Intune policy precedence
FAQ Section
1. Is Windows LAPS enough to secure local admin accounts?
No. LAPS eliminates password reuse but does not control how admin privileges are used. Combine it with privilege elevation tools.
2. Can I use LAPS with Azure AD only (no on-prem AD)?
Yes. Modern Windows LAPS fully supports Microsoft Entra ID-only environments.
3. How often should LAPS passwords rotate?
Typically every 7–30 days. High-security environments may require shorter intervals.
4. What happens if LAPS fails?
The last password remains valid. This is why monitoring and alerting are critical.
5. Should IT staff have permanent local admin rights?
No. Use Just-In-Time elevation instead. Persistent admin rights significantly increase attack surface.
Conclusion / Actionable Takeaways
If you’re serious about endpoint security in 2026, removing persistent local admin access is no longer optional—it’s foundational.
Your next steps:
- Deploy Windows LAPS across all endpoints
- Audit and remove all unnecessary local admin memberships
- Implement controlled elevation (JIT or EPM)
- Monitor privileged access and enforce logging
- Continuously review and refine policies
From experience, the biggest challenge isn’t technical—it’s cultural. IT teams are used to having unrestricted access. The key is implementing controls without slowing them down, and that’s where modern tools and smart policy design make all the difference.
Last Updated
April 2026 – Reflects current capabilities of Windows LAPS, Microsoft Entra ID, and Intune Endpoint Privilege Management.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.