For Servers 2019 and Windows 10 Use the Inbuilt Functionality https://lazyadmin.nl/it/windows-laps/

Download

Click here to Download the software

Install

Install 32bit or 64bit depending on server , install ALL the Management Tools

Create a new package and use the LAPS.x64.msi file that we downloaded earlier. Make sure that you add the parameter CUSTOMADMINNAME=LAPSAdmin in your package , this will create the LocalAdmin Account ( LAPs does not create the account for you ) Without this you will need to deploy a script to do this for you ( no way to do this via GPO due to security issues of deploying a password in GPO)

$Username = "LAPSAdmin"

#Create Random LAPS Password 
 try {
        # Define the length of the password
        $length = 14
        # Define the characters to be used in the password
        $characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+=-"
        # Create a random password
        $password = ""
        for ($i = 1; $i -le $length; $i++) {
            $randomIndex = Get-Random -Minimum 0 -Maximum $characters.Length
            $password += $characters[$randomIndex]
        }

$group = "Administrators"

$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }

if ($existing -eq $null) {

    Write-Host "Creating new local user $Username."
    & NET USER $Username $Password /add /y /expires:never
    
    Write-Host "Adding local user $Username to $group."
    & NET LOCALGROUP $group $Username /add

}
else {
    Write-Host "Setting password for existing local user $Username."
    $existing.SetPassword($Password)
}

Write-Host "Ensuring password for $Username never expires."
& WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE

Setup

Open Powershell as Administrator and with Domain Admin Writes and run

Import-module AdmPwd.PS  

Update-AdmPwdADSchema

Make sure the above says Success

In the same Powershell Window you need to declare the OU’s where the computers will live

Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>

Now you want to see who have access to look at the password in the OU

Find-AdmPwdExtendedrights -identity “OU NAME”

Add or remove permissions via : Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

Group Policy

On the PC you installed the LAPS tool to ,  copy the following files : 

C:\Windows\PolicyDefinitions\AdmPwd.admx to ( ON a domain controller ) C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\

C:\Windows\PolicyDefinitions\en-US\AdmPwd.adml to ( ON a domain controller ) C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US\AdmPwd.adml 

Now create a Group Policy and Apply to the computers you would like to have self managed local Administrator Password

Administering

How to find password using Gui

On the PC installed with LAPS , run  : C:\Program Files\LAPS\AdmPwd.UI.exe and enter the computer name to find the password

Use Powershell : Get-AdmPwdPassword -Computername “%COMPUTERNAME%”

To reset password Immediately : Reset-AdmPwdPassword -ComputerName <computername>