LAPS automatically manages unique local administrator passwords per Windows workstation — stored in AD, accessible only to authorized admins, rotated automatically.
Without LAPS: same local admin password on every workstation = perfect pass-the-hash lateral movement. LAPS gives each machine a unique, rotated local admin password. Free Microsoft tool. Microsoft LAPS (2023) is the cloud-integrated successor.