I'm looking to implement LAPS (Local Administrator Password Solution) in my current setup, but I'm not quite sure where to start. I've got Server 2016 as my domain controllers and a few application servers running on 2019, plus Windows 11 workstations. Since I know that Windows LAPS isn't supported on 2016 and only legacy LAPS is available, I'm planning to upgrade the domain controllers to 2025, but that's not happening until next year. Is there anyone out there with a similar setup that can share what steps I could take in the meantime?
1 Answer
You can begin by deploying Windows LAPS on your member servers that are running 2019 or later. If you have older servers, legacy LAPS can work alongside it with some considerations. Just keep in mind that deploying LAPS on a domain controller is not recommended since it changes the DSRM password, which you’ll want to access offline if needed. But Windows LAPS will work perfectly with your Windows 11 workstations.
So, I can just enable LAPS in Entra/Device settings and that’s it?