No LAPS: One Local Admin Hash, Every Domain Host
Every workstation imaged from the same MDT or SCCM task sequence carries an identical local Administrator NTLM hash, and without LAPS rotating it, one compromised endpoint yields pass-the-hash access across the entire fleet. Domain lockout policy and Conditional Access never see local logons, so lateral movement proceeds unlogged until a domain credential surfaces.
At a glance
- Unsafe setting
- Local Administrator password set once during imaging and never rotated across the domain-joined fleet.
- Failure trigger
- One endpoint compromise exposes an NTLM hash valid on every other host imaged from the same build.
- Blast radius
- Pass-the-hash lateral movement from a single workstation to the entire fleet, undetected by domain-level monitoring.
- Recommended control
- Deploy Windows LAPS with a domain-root GPO enforcing 30-day rotation and AD-backed password storage.
Fix commands and configuration
Update-LapsADSchema -ConfirmPasswordComplexityPasswordLengthThe Trap
Local Administrator password uniformity across a domain-joined Windows fleet, caused by never deploying Local Administrator Password Solution (LAPS) at all — not a scoping gap in an existing LAPS rollout, but a complete absence of password rotation infrastructure.
The Default State
Windows Server and Windows 11 do not ship with LAPS enabled by default. Windows LAPS has existed since KB5025785 (April 2023) for Server 2019/2022 and Windows 10/11, but it requires explicit schema extension via Update-LapsADSchema and a linked GPO before it does anything. In practice, most estates set the built-in Administrator password once, during imaging: MDT and SCCM task sequences bake it into unattend.xml or run a Set-LocalUser step against a golden image, then replicate that image across thousands of endpoints. The password is never touched again unless an engineer manually rotates it host by host, which does not scale and does not happen.
The Blast Radius
Because every host shares the same local Administrator NTLM hash, a single compromised workstation gives an attacker a pass-the-hash key that works identically on every other domain-joined machine. There is no local account lockout policy enforced consistently across the fleet, and local logons never touch domain-level Conditional Access or sign-in risk scoring, so the lateral movement is invisible to identity monitoring. A dump via sekurlsa::logonpasswords on one laptop, followed by wmiexec or psexec against the rest of the subnet using the same hash, reaches file servers, jump boxes, and eventually a host with a cached Domain Admin session — all before a single domain authentication event fires an alert.
The Lead Mechanic Fix
Deploy Windows LAPS, not legacy AdmPwd. Run Update-LapsADSchema -Confirm to extend the schema, then create a GPO at the domain root — not scoped to a subset of OUs — under Computer Configuration > Policies > Administrative Templates > LAPS. Set PasswordComplexity to large letters, small letters, numbers, and specials; PasswordLength to 20; PasswordAgeDays to 30; and BackupDirectory to Active Directory. Confirm rotation with Get-LapsADPassword -Identity <hostname> -AsPlainText. Where the built-in Administrator account is not needed interactively, disable it entirely with Set-LocalUser -Name Administrator -Enabled $false after confirming LAPS-managed access works through the alternate managed account LAPS creates.