Skip to main content
cd ../config-traps
risk/register/laps-scoping-gaps-leave-servers-sharing-one-password.html
Active Directory Credential Managementhigh severityActive Directory

LAPS Scoping Gaps Leave Servers Sharing One Password

Overview

An unlinked or partially scoped LAPS GPO leaves domain-joined servers running the same local Administrator credential baked in at imaging time. Firewalls and network segmentation do nothing to stop lateral movement once that single password or NTLM hash is recovered from any one box in the fleet.

At a glance

Unsafe setting
The Windows LAPS GPO is not linked to all OUs containing domain-joined servers, leaving them on the sysprep-baked local Administrator password.
Failure trigger
A server OU is created or a machine object is moved during a Tier restructure without the LAPS GPO link following it.
Blast radius
One dumped local Administrator hash authenticates via PsExec or WMI to every unmanaged server sharing the identical imaging-time credential.
Recommended control
Audit GPO links against the live OU tree, enforce Windows LAPS at the parent Servers OU with blocked inheritance disabled, and verify with msLAPS-PasswordExpirationTime.

Fix commands and configuration

Get-ADOrganizationalUnit -Filter *
Get-GPInheritance -Target <OU>
Update-LapsADSchema

The Trap

Windows LAPS (or the legacy LAPS CSE) is installed and configured correctly on workstation OUs but never extended to the OUs holding domain-joined servers. The GPO “Configure password backup directory” is linked to Workstations and a handful of legacy Servers OUs, but new server OUs created during a Tier 0/1/2 restructure, or servers moved out of their original container by an application team, fall outside the link scope entirely. No policy applies, so no rotation happens.

The Default State

Every server built from the same golden image inherits the local Administrator password set by the unattend.xml answer file or sysprep template. That password is never randomised post-deployment because the assumption is “LAPS handles it” — a true statement only for machines sitting inside the linked OUs. Ops teams rarely audit GPO scope against the live OU tree after reorganisations, so drift accumulates silently for years.

The Blast Radius

One compromised server yields the local Administrator NTLM hash via a single sekurlsa::logonpasswords dump. Because the credential is identical across every unmanaged server, that hash authenticates via PsExec, WMI, or SMB admin shares to the entire fleet without cracking anything. If even one Tier 0-adjacent host — a backup server, a monitoring collector with domain admin service accounts cached, or a jump box — shares that same baked-in credential, lateral movement reaches domain controller-adjacent infrastructure in minutes. Endpoint detection tools flag the malware, not the pass-the-hash pivot, because the authentication itself is legitimate.

The Lead Mechanic Fix

Run Get-ADOrganizationalUnit -Filter * against every OU containing a Computer object with an operating system matching “*Server*”, then cross-reference against Get-GPInheritance -Target <OU> to confirm the LAPS GPO is actually linked, not just present in the domain. Enable native Windows LAPS with Update-LapsADSchema, set the backup directory to Active Directory DS, enforce a 30-day PasswordAgeDays, minimum 20-character complexity, and link the policy at the parent Servers OU with block inheritance disabled so nested OUs cannot silently opt out. Audit exposure with Get-ADComputer -Filter * -Properties msLAPS-PasswordExpirationTime | Where {$_."msLAPS-PasswordExpirationTime" -eq $null} and remediate every result before the next patch cycle.