Ah, User RID 500… Otherwise known as Administrator. It’s on every Windows system on your network. It doesn’t lockout and you can’t delete it. You can rename but big deal – that only trips up script kiddies. You can disable Administrator but that has some important limitations and caveats.

All of this has made the local admin account target #1 for attackers. To get companies to stop re-using the same password for Administrator on every computer, Microsoft released LAPS (Local Administrator Password Solution) a few years ago. LAPS takes over management of Administrator’s password assigning a unique randomly generated password for each system. LAPS stores the passwords in Active Directory where access is governed by AD permissions.

In this this real training for free event, I will show you how LAPS works and pivot to how attackers leverage LAPS to gain information and even attempt to attack LAPS itself to gain control of local admin accounts.

I’ll show you the major components of LAPS such as:

  • LAPS schema extensions to AD
  • Local LAPS agent
  • Client-side GPO extension
  • Interactive LAPS application
  • PowerShell tools

Then as we shift to the security and risks of LAPS we’ll consider:

  • How attackers might use LAPS to gain information about the environment
  • LAPS vulnerabilities and attack methods
  • Important LAPS best practices and security checks you should run if you are using LAPS

At the end of the day, most security researchers agree that LAPS is a decent implementation for what it does but it is very much a point solution. It only addresses the local Administrator account which is one very important but narrow issue when it comes to privileged account management.

We should never be using the local administrator account anyway for any kind of normal day-to-day administration. The local admin account is a necessary evil just like root on Unix; it’s there for when your domain and local systems are so fried the only way to access the system is with a local privileged account. A generic, all powerful account with no accountability between IT staff.

In addition to everything else you do to secure Administrator, if you are following best practice and avoid ever using Administrator, then you should set a highest level alert in your SIEM for whenever it sees a successful logon by Administrator – or whatever you renamed it to.

So, implementing LAPS – securely – and doing the necessary monitoring of LAPS related attributes in AD and LAPS events on member computers will help you reduce the risks associated with “Administrator”. But we’ll take it further with our sponsor BeyondTrust, who will briefly show you how their technology suite provides comprehensive management of privilege across the entire AD/Windows/Unix environment including passwords, least privilege and auditing.

Please join us for this on-demand real training for free solution.

Profile photo of Randy Franklin Smith

Randy Franklin Smith

Microsoft MVP & Windows Security Expert, and CEO at Monterey Technology Group, Inc.

Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations.

Randy Franklin Smith began his career in information technology in the 1980s developing software for a variety of companies. During the early 1990s, he led a business process re-engineering effort for a multi-national organization and designed several mission critical, object-oriented, client/server systems. As the Internet and Windows NT took off, Randy focused on security and led his employer's information security planning team. In 1997, he formed Monterey Technology Group, Inc. where he serves as President.


  • Certified Information Systems Auditor (CISA)
  • Microsoft Security Most Valuable Professional (MVP)
  • Systems Security Certified Professional (SSCP)

Industry Memberships

  • Information Systems Security Association (ISSA)
  • Information Systems Audit and Control Association (ISACA)
  • Center for Internet Security (CIS)