For Servers 2019 and Windows 10 Use the Inbuilt Functionality https://lazyadmin.nl/it/windows-laps/

Download

Click here to Download the software

Install

Install 32bit or 64bit depending on server , install ALL the Management Tools

Create a new package and use the LAPS.x64.msi file that we downloaded earlier. Make sure that you add the parameter CUSTOMADMINNAME=LAPSAdmin in your package , this will create the LocalAdmin Account ( LAPs does not create the account for you ) Without this you will need to deploy a script to do this for you ( no way to do this via GPO due to security issues of deploying a password in GPO)

$Username = "LAPSAdmin"

# Create Random LAPS Password
try {
    $length = 14
    $characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+=-"
    
    $password = ""
    for ($i = 1; $i -le $length; $i++) {
        $randomIndex = Get-Random -Minimum 0 -Maximum $characters.Length
        $password += $characters[$randomIndex]
    }

    $group = "Administrators"

    # Check if user already exists using ADSI
    $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
    $existing = $adsi.Children | Where-Object { $_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }

    if ($null -eq $existing) {
        Write-Host "Creating new local user $Username." -ForegroundColor Green
        net user $Username "$password" /add /expires:never /passwordchg:no | Out-Null
        
        Write-Host "Adding local user $Username to $group group." -ForegroundColor Green
        net localgroup "$group" $Username /add | Out-Null
    }
    else {
        Write-Host "Setting new password for existing user $Username." -ForegroundColor Yellow
        # Preferred modern way (works on Windows 10/11/Server 2016+)
        $existing.SetPassword($password)
    }

    # Ensure password never expires (more reliable than WMIC)
    Write-Host "Ensuring password for $Username never expires and cannot be changed by user." -ForegroundColor Green
    net user $Username /expires:never | Out-Null
    net user $Username /passwordchg:no | Out-Null

    Write-Host "LAPS-like admin account '$Username' configured successfully." -ForegroundColor Cyan
    Write-Host "Password: $password" -ForegroundColor Red
}
catch {
    Write-Error "Failed: $_"
}

Setup

Open Powershell as Administrator and with Domain Admin Writes and run

Import-module AdmPwd.PS  

Update-AdmPwdADSchema

Make sure the above says Success

In the same Powershell Window you need to declare the OU’s where the computers will live

Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>

Now you want to see who have access to look at the password in the OU

Find-AdmPwdExtendedrights -identity “OU NAME”

Add or remove permissions via : Set-AdmPwdReadPasswordPermission -OrgUnit <name of the OU to delegate permissions> -AllowedPrincipals <users or groups>

Group Policy

On the PC you installed the LAPS tool to ,  copy the following files : 

C:\Windows\PolicyDefinitions\AdmPwd.admx to ( ON a domain controller ) C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\

C:\Windows\PolicyDefinitions\en-US\AdmPwd.adml to ( ON a domain controller ) C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US\AdmPwd.adml 

Now create a Group Policy and Apply to the computers you would like to have self managed local Administrator Password

Administering

How to find password using Gui

On the PC installed with LAPS , run  : C:\Program Files\LAPS\AdmPwd.UI.exe and enter the computer name to find the password

Use Powershell : Get-AdmPwdPassword -Computername “%COMPUTERNAME%”

To reset password Immediately : Reset-AdmPwdPassword -ComputerName <computername>