windows Lap ,Aleocal Aadministrator Pa word Ssolution) allows you to centrally manage passwords for local administrators on computers in your AD domain. The current local administrator password is stored in the protected attributes of computer objects in Active Directory, is changed automatically on a regular basis, and can be viewed by authorized users.
In this guide, we’ll show you how to configure and use Windows LAPS to manage local administrator passwords on AD domain-joined computers.
As of April 2023, you must manually download the LAPS MSI installation file, deploy the administrator or client components to computers, install the ADMX GPO template for LAPS, and extend the AD schema
Updates adding native support for the new version of LAPS in Windows were released in April 2023. You no longer need to manually download and install MSI packages to use LAPS.
New built-in Windows LAPS overview
The following cumulative updates added native support for Windows LAPS in April 2023:
- Windows 11 22H2 – KB5025239
- Windows 11 21H2 – KB5025224
- Windows 10 22H2 — KB5025221
- Windows Server 2022 – KB5025230
- Windows Server 2019 – KB5025229
What’s new in Windows LAPs?
- All components of the new LAPs are part of Windows;
- Allows administrator passwords to be stored in on-premises Active Directory or Azure AD;
- DSRM (Directory Services Restore Mode) password management on AD domain controllers;
- Support for password encryption;
- password history;
- Allow the local administrator password to be changed automatically after it is used to log on to the computer locally.
The new version of Windows LAPS requires at least a Windows Server 2016 domain functional level.
As we mentioned above, you no longer need to manually download and install the LAPS client or the Group Policy Client-Side Extension (CSE). All required LAPS components are available in Windows after you install the April Update.
The following Windows LAPS management tools are available:
- new ADMX Group Policy file;
- a separate Lap tab in Computer Properties in the Active Directory Users and Computers (ADUC) console;
- Windows LAPS PowerShell Module;
- Separate logs in Event Viewer: Application and Service Logs -> Microsoft -> Windows -> LAPS -> Operational.
Microsoft notes that you must disable Group Policies and remove settings from the previous version of LAPS (legacy MSI) before deploying the new LAPS GPO. To do this, prevent new installations of legacy LAPS and remove all settings in the following registry key HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State.
If the legacy version of LAPS is not removed, events with the following event IDs will appear in the Event Viewer:
- Event ID 10033, LAPS — The machine is configured with legacy LAPS policy settings, but the legacy LAPS product appears to be installed. The password for the configured account will no longer be managed by Windows until the legacy product is uninstalled. Alternatively, you may want to consider configuring new LAPS policy settings.
- event 10031LAPS — LAPS blocked an external request that attempted to modify the password for the current manager account.
Deploying local administrator password solution in Active Directory domain
After installing the new updates, you can start deploying the new version of LAPS all domain controllers,
To manage the local administrator password resolution, use the PowerShell cmdlets from the LAPS module. You can use the following commands:
Get-Command -Module LAPS
- Get-LapsAADPassword
- Get-Lapse Diagnostics
- find-lapsedextendedwrites
- Get-LapsADPassword
- Invoke-Lapse Policy Processing
- reset-lapsepassword
- seven-lap audit
- set-lapsedcomputerself permission
- set-lapseADpassword expiration time
- set-lapsedreadpasswordpermission
- set-lapseaddresssetpasswordpermission
- Update-LapsADSchema
After you install the update on the DC and the clients, you must perform an AD schema update. It will add new features. Run command:
Update-LapsADSchema
Update-LapsADSchema : A local error occurred.
The following attributes will be added to the AD schema:
- msLAPS – password expiration time
- msLAPS-password
- msLAPS-encryptedpassword
- msLAPS – Encrypted Password History
- msLAPS-encryptedDSRMpassword
- msLAPS – Encrypted DSRM Password History
The attributes used in the previous version to store passwords are not used in Windows LAPS (ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime).
Open ADUC console (dsa.msc), select any computer in AD, and go to the AD Object Attribute Editor tab. Verify that the new attributes are now available in the object.
msLAPS* The attributes are not populated yet.
You must now allow computers in the specified Organizational Unit (OU) to update the msLAPS* attribute in their AD account properties.
For example, I want to allow computers in the MUN container to update passwords stored in AD attributes.
Set-LapsADComputerSelfPermission -Identity "OU=Computers,OU=MUN,OU=DE,DC=woshub,DC=com"
Let’s use PowerShell to create a group that can see local administrator passwords on computers in this OU:
New-ADGroup MUN-LAPS-Admins -path 'OU=Groups,OU=MUN,OU=DE,DC=woshub,DC=com' -GroupScope local -PassThru –Verbose
Add-AdGroupMember -Identity MUN-LAPS-Admins -Members a.morgan,b.krauz
We will allow this group to view and reset the local administrator password:
$ComputerOU = "OU=Computers,OU=MUN,OU=DE,DC=woshub,DC=com"
Set-LapsADReadPasswordPermission –Identity $ComputerOU –AllowedPrincipals MSK-LAPS-Admins
Set-LapsADResetPasswordPermission -Identity $ComputerOU -AllowedPrincipals MSK-LAPS-Admins
By default, members of the Domain Administrators group can view the local Administrator password on all AD computers.
Use find-lapsed extended rights Command to check the current permissions of LAPS attributes in an OU.
Configure GPO to change local administrator password
When you install the latest update on Windows (%systemroot%\PolicyDefinitions\) a new set of administrative templates will appear to manage LAPS configuration via GPOs.laps.admx,
If you are using the central GPO store for ADMX templates, copy LAPS.admx to the following location: \\woshub.com\SysVol\woshub.com\Policies\PolicyDefinitions ,
The next GPO section contains the LAPS options: Computer Configuration -> Policies -> Administrative Templates -> System -> LAPS, The following LAPS Group Policy options are available here:
- Enable password backup for DSRM accounts
- Configure the size of the encrypted password history
- enable password encryption
- Configure authorized password descriptor
- Name of the administrator account to manage
- Configure password backup directory
- Do not allow more time than required by the password expiration time policy
- password settings
- Post Authentication Actions
Let’s try to enable minimum Group Policy LAPS settings for Active Directory domain
- Open the Group Policy Management Console (
gpmc.msc), create a new GPO and link it to the OU containing the computers; - Open a new GPO and navigate to the section that contains the LAPS options;
- Enable Configure password backup directory policy and set Active Directory here. This policy allows administrator passwords to be stored in the computer account attribute in on-premises Active Directory;
Windows LAPS allows you to store passwords in Azure Active Directory (AAD) instead of local ADDS.
- then enable password settings Option. Here you need to change the password complexity, length and frequency parameters;
The following LAPS password settings are enabled by default: Password complexity, 14-character password length, and Password change every 30 days.
Specify the name of the local administrator account whose password you want to change. Name of the administrator account to manage, If you are using the built-in Windows administrator, type administrator Here.
The LAPS GPO does not create any local administrator accounts. If you want to use another administrator account, create it on the computer by using a GPO or PowerShell.
- Restart your computer to apply the new GPO setting.
LAPS: Get a Local Administrator Password on Windows
After LAPS Group Policies are applied, Windows changes the local administrator password at startup and then writes it to the msLAPS-password protected attribute on the computer object in AD. You can get the current password for a computer in the ADUC console or by using PowerShell.
Open the ADUC console and locate the computer for which you want to find out the current local administrator password. New one Lap The Computer object Properties tab has appeared.
The following information is displayed on this tab:
- Current LAPS Password Expiration
- LAPS local administrator account name
- LAPS local administrator account password
You can also use PowerShell to get the computer’s current administrator password:
Get-LapsADPassword mun-pc221 -AsPlainText
ComputerName : mun-pc221 DistinguishedName : CN=mun-pc221,OU=… Account : administrator Password : 3f!lD1.23!l32 PasswordUpdateTime : 4/24/2023 11:14:26 AM ExpirationTimestamp : 5/24/2023 11:14:26 AM Source : EncryptedPassword DecryptionStatus : Success AuthorizedDecryptor : WOSHUB\Domain Admins
Use this password to log on to this computer locally as an administrator.
To quickly rotate the LAPS password for the local administrator account, run the command:
Reset-LapsPassword
This will force an immediate password change for the currently logged in local administrator account and will write the new password to AD.
Windows Local Administrator Password Solution is a simple, built-in feature that allows you to improve the security of using a local administrator account on a domain computer. LAPS stores the current administrator password in a secure AD attribute and changes it regularly across all computers.
Leave a Comment