Let’s get straight to the point:
TechIDManager is a powerful replacement for Microsoft LAPS—designed to work at MSP scale across all Windows environments:
- Domain-joined
- Non-domain
- Workgroup
- EntraID-joined
Unlike Microsoft LAPS, which is limited to domain environments (and more recently Azure AD), TechIDManager LAPS is platform-agnostic. It even supports domain accounts when installed on a Domain Controller.
At the core is our TechIDAgent, which has always offered privileged access management (PAM) with unique account handling. Now, it also delivers:
- Automated password rotation for the built-in Administrator account
- Controlled access for selected technicians
- Secure, zero-visibility password storage—just like all credentials in TechIDManager
Setup is simple:
Install the agent, and it will automatically rotate the Administrator password every 24 hours. You can assign access to specific techs via the admin console.
Want to get started?
Download the PowerShell setup script from our releases page
Or skip the hassle—book a White Glove install, and we’ll walk you through it
“Why does this work?” you ask….alright, now that you know the basics of the installation, let’s talk about why and how this works and what other options you have on the install for TechIDAgent.
Let’s start with these command lines to setup everything.
TechIDAgent.exe installLAPS
TechIDAgent.exe shareduser Administrator clientguid xxx
TechIDAgent.exe start
TechIDAgent.exe – The executable to run.
installLAPS – this argument tells the TechIDAgent to install itself as a service, set all the recovery options for the service, and ONLY run the LAPS part of what TechIDAgent can do. If you are using LAPS to control a local account on a machine AND create unique accounts then you should use the command line “install” (and not “installLAPS”).
shareduser Administrator – this argument tells the TechIDAgent to control the account named “Administrator”, and all the rest of the command line options on this command line apply to that instance of TechIDAgent. If you have renamed the built-in Administrator account to something else, such as MSPAdmin, then you replace “Administrator” with the correct name. i.e. shareduser MSPAdmin
clientguid xxx – this part of the command line tells TechIDAgent the clientguid to use replace xxx with your TechIDManager ClientGuid. This can be set instance specific or for all instances of TechIDAgent running on this machine.
start – this part of the command line tells the TechIDAgent to start the TechIDAgent. This is the same as “net start TechIDAgent”.
There are many other options that can be set for each instance of TechIDAgent.
To set the FriendlyName or RMMName use these command lines:
TechIDAgent.exe shareduser Administrator friendlyname "Jenny's dev machine"
TechIDAgent.exe shareduser Administrator rmmname "867-5309"
With these above command lines, note how we first tell TechIDAgent the command line options apply to the shareduser Administrator instance and then we use the normal syntax for the FriendlyName or RMMName. Any option that can be set can be set instance specific.
Return to step 4 to install more agents.
