When you talk to executives about privileged access, they hear “passwords” and “admin rights.” What they don’t hear is that the default Windows admin model gives every local administrator a static, reusable password that lives forever on the machine.

Why LAPS Matters

LAPS (Local Administrator Password Solution) solves the "same password on every workstation" problem by randomizing each machine’s local admin password and storing it in AD. The secret sauce is that the password rotates automatically every 30 days (by default) and is only readable by a tightly scoped security group.

# Install LAPS PowerShell module Install-Module -Name Laps -Force # Set the password length and rotation interval Set-AdmPwdConfiguration -PasswordLength 20 -PasswordAgeDays 30 # Grant read access to the LAPS admins group gpupdate /force

In practice, LAPS eliminates the "admin password spreadsheet" and forces you to treat each local admin account as a one‑time secret.

PAW – The Workstation You Actually Trust

A Privileged Access Workstation (PAW) is a hardened, air‑gapped machine that you use exclusively for admin tasks. The idea is simple: separate the high‑risk browsing environment from the low‑risk admin environment.

Deploying PAWs reduces the attack surface dramatically. If a user clicks a malicious link on their regular laptop, the attacker never reaches the PAW because there is no network path to it.

Just‑In‑Time (JIT) Elevation

Even with LAPS and PAWs, you still need to grant privileged rights occasionally. JIT gives you a temporary token that expires after a short window (usually 1‑4 hours). Azure AD Privileged Identity Management (PIM) is the most common implementation, but you can roll your own with a simple script and AD group membership.

# Example: Grant temporary membership to "Domain Admins" $User = "corp\jdoe" Add-ADGroupMember -Identity "Domain Admins" -Members $User Start-Sleep -Seconds 7200 # 2 hours Remove-ADGroupMember -Identity "Domain Admins" -Members $User

Key points for a secure JIT implementation:

  1. Require MFA for the request
  2. Log every grant/revoke event (Event ID 4728/4732)
  3. Set a short maximum duration (1‑4 hours)
  4. Notify the security team on each grant

Putting It All Together – A Practical Blueprint

Below is a checklist you can copy‑paste into your runbook:

# 1. Deploy LAPS to all domain‑joined machines Install-Module -Name Laps -Force Import-Module Laps Set-AdmPwdConfiguration -PasswordLength 20 -PasswordAgeDays 30 # Grant read permissions to "LAPS Admins" Add-ADPermission -Identity "CN=admPwd,DC=corp,DC=local" -User "LAPS Admins" -AccessRights ReadProperty # 2. Build a PAW image (reference Microsoft hardening guide) # - Enable Credential Guard # - Disable USB, Wi‑Fi, Bluetooth # - Install RSAT, Sysinternals Suite, PowerShell 7 # 3. Configure JIT via Azure AD PIM (or custom script) # - Enable MFA for elevation requests # - Set max duration 2h, approval required # - Enable alert on each elevation (Azure Monitor) # 4. Operational process # - All admin work must be performed from a PAW # - LAPS passwords retrieved via Get-AdmPwdPassword only on PAWs # - JIT requests logged to Security Event Log (4728/4732)

Final Thought

LAPS, PAWs, and JIT are not silver bullets. They each solve a piece of the privileged‑access puzzle. Used together, they create a layered defense that forces an attacker to break three independent controls before gaining lasting domain admin.

Implement them, enforce the process, and you’ll see a dramatic drop in "admin password reuse" findings during audits.