Microsoft LAPS is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints.
After Schema Update two new attributes come up:
To write these two attributes, the Computer has to be granted access to these attributes: Delegate this permissions to the whole domain:
Create a GPO based on LAPS GPO-Template. As a pattern you can use the following settings:
If you want, modify the password rules and link the policy to the Domain(root)(except Domaincontrollers)
Be aware not to apply the policy to DomainControllers!
ADD DomainControllers under Advanced settings and set Read Attribute to "Deny".