LAPS automatically manages and rotates unique local administrator passwords for each Windows workstation — stored in AD and accessible only to authorized admins.
Without LAPS, most organizations have the same local admin password on every workstation — perfect for lateral movement via pass-the-hash. LAPS gives every machine a unique local admin password. Free Microsoft tool.