Windows Local Administrator Password Solution (LAPS) is a new feature that enables IT Administrators to secure and protect local administrator passwords on domain-joined computers. This includes automatic rotation of passwords as well as backing up the passwords to Azure Active Directory or Active Directory. You can configure Windows LAPS on your Windows endpoints. In this guide, we will discuss how to How to configure Windows LAPS. Please see these exciting guides: How to run apps as an administrator on Windows 10 and Windows 11, how to fix Application blocks unable to run and apply settings, and how to create a Shortcut That enables Standard Users to run Applications as Administrators.
If your domain is configured below 2016 Domain Functional Level (DFL), you can't enable Windows LAPS password encryption period. In this scenario clients can only be configured to store passwords in clear-text (secure by Active Directory ACLs), and DCs managing their local DSRM account.Once your domain reaches 2016 DFL, you can enable Windows LAPS password encryption. However, if you’re still running any WS2016 DCs, those WS2016 DCs don’t support Windows LAPS and therefore can’t use the DSRM account management feature. Microsoft advises using LAPS on supported operating systems older than Windows Server 2016 on your domain controllers as long as have acquainted yourself with these limitations. Please see how to configure Windows LAPS Management with Microsoft Intune.
Benefits of using Windows LAPS
Windows LAPS regularly rotate and manages local administrator account passwords. LAPS help protects against pass-the-hash and lateral-traversal attacks. It provides improved security for the remote help desk and grants the ability to sign into and recover devices that are otherwise inaccessible. It supports the Azure role-based access control model for securing passwords stored in Azure Active Directory.
LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers. Please see “MSSQL Server evaluation period has expired: How to upgrade SQL Server instance“.
LAPs natively integrated into Windows
The April 11, 2023 Security update (KB5025229/KB5025230) update implements the new Windows Local Administrator Password Solution (LAPS) as a Windows inbox feature. The updated version uses attributes in the Active Directory (AD) and introduced new PowerShell cmdlets for the administration of LAPs. Please see Why Group Policy is not the best solution for managing Windows Updates, and What are the differences between various Editions of Microsoft SQL Server.
The feature is ready to go out of the box. You DO NOT need to install an external MSI package. There are no additional licensing requirements needed to run Windows LAPS.
Windows Edition
The new LAPS capabilities are available to the following Windows Edition having installed the April 11, 2023 security update.
- Windows 11 Pro, EDU, and Enterprise
- Windows 10 Pro, EDU, and Enterprise
- Windows Server 2022 and Windows Server Core 2022
- Windows Server 2019
New capabilities for LAPS in an Active Directory environment
Below are the new features available for LAPS which was not previously available with the legacy LAPS on-premises:
- This feature has brought in some improvements for password encryption.
- Enables you to log back in time to have backup images restored. The Password History Group Policy Object enables you to specify how passwords are kept in Active Directory.
- This helps keep your domain controllers secure by rotating these critical recovery passwords on a regular basis for Directory Services Restore Mode (DSRM) password backups.
- The Emulation mode will be beneficial if you wish to continue using the older LAPS policy settings and tools while preparing to migrate to the new improved LAPS.
- The newly improved LAPS will rotate passwords automatically when the account is used.
For Azure AD, LAPS offers some new capabilities for managing passwords in the cloud and this is currently in the private preview. The next article on Windows LAPs Management with Microsoft Intune will discuss these capabilities.
Migrate from Legacy LAPS
Note: To proceed with the improved LAPS, Administrators must remove the legacy LAPS configured on their environment in order to benefit from these new features. These new features affect both cloud and on-premises environments.
Windows LAPS does not use the “ms-Mcs-AdmPwd” and “ms-Mcs-AdmPwdExpirationTime” attributes anymore. It uses the “msLAPS-Password”, “msLAPS-EncryptedPasswordHistory”, “msLAPS-EncryptedPassword”, “msLAPS-EncryptedDSRMPassword”, msLAPS-EncryptedDSRMPasswordHistory, and the “msLAPS-Password-ExpirationTime”.
How to Configure Local Administrator Password Solution on Windows
Note: Without running any of the updates mentioned above, you will not be able to run the Update-LapsAdSchema command.
Fix “Update-LapsAdSchema” is not recognized as the name of a cmdlet
Update-LapsAdSchema : The term 'Update-LapsAdSchema' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1
+ Update-LapsAdSchema
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Update-LapsAdSchema:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundExceptionTo resolve this issue, please run the April 11, 2023 Security update (KB5025229/KB5025230) update. Please see Using GitHub as Source Provider to AWS CodePipeline, and Setup a Continuous Deployment Pipeline with AWS CodePipeline.
Update-LapsAdSchema
Kindly launch PowerShell as a domain admin. Please run the following command to update the Active Directory schema. Please see Why you should attend VeeamOn 2023. The Update-LapsADSchema cmdlet adds the schema attributes to the directory and to the mayContain list on the computer schema class. It’s a one-time operation for the entire forest.
Update-LapsAdSchemaYou can either enter Y to manually review and approve each schema update, or enter A to automatically approve all updates.
Please verify that the updates were applied correctly by running the following command “Update-LapsAdSchema -verbose“. Please see this for Windows LAPS schema extensions reference.
We can verify the Active Directory schema extension by opening a computer object in the Active Directory. You will now see the new LAPS tab.
Grant the managed device permission to update its password
Ensure the managed device LAPS is configured on has the required permission to update its password. This is achieved by setting the inheritable permissions on the Organizational Unit (OU) the computer objects are in. The Set-LapsADComputerSelfPermission is used for this purpose. For me, this is a test environment. I will create an OU called “TechDAComputers” for this test and move some computer objects into it.
Optional step: Remove Extended Rights permissions
This step is optional, and should only be performed after verifying that users or groups do not have Extended Rights permission on the managed device’s OU. This permission is problematic as it grants the ability to read confidential attributes on Windows LAPS password attributes marked as confidential. One way to check to see who is granted these permissions is by using the Find-LapsADExtendedRights cmdlet.
As you can see in my output, only trusted entities (SYSTEM and Domain Admins) have the privilege. Therefore, no further action is needed.
Note: If this is not the case for you and you wish to grant certain users or groups access, you could use the cmdlets to do this. There are some similar commands which you can also use to delegate permission such as the “Set-LapsADPasswordExpirationTime“, and the “Set-LapsADResetPasswordPermission“.
Set-LapsADReadPasswordPermission -Identity techdirectarchi -AllowedPrincipals "techdirectarchi\yourdesirecgroup"Copy LAPS to the Central Store
The preferred tool for managing Windows LAPS is Group Policy. Windows installs LAPS.admx under %systemroot%\PolicyDefinitions as shown below. If you use a Central Store for the administrative templates, you have to copy the new LAPS version there first. Please see this article on how to create the central store for Group Policy Administrative Templates.
If you do not have the necessary permission, you will never be able to copy the LAPS.admx under C:\Windows\PolicyDefinitions to the central store.
Below is the path to my central store. The LAPS.admx needs to be copied to this location. Please also copy the corresponding LAPS.adml file. This will ensure you do not get this error: “An appropriate resource file could not be found“.
\\TECHDARCHIVEDC\sysvol\Techdirectarchive.local\Policies\PolicyDefinitions
Create Local Administrator Password Solution GPO
The first step is to choose how to apply the policy to your devices. Traditional environments utilize Windows LAPS Group Policy to deploy the required settings to Windows Server Active Directory-domain-joined devices. If you operate a hybrid-environment joined to Azure Active Directory, you can deploy policy by using Microsoft Intune
Windows LAPS includes a new Group Policy Object that you can use to administer policy settings on Active Directory domain-joined devices. To access the Windows LAPS Group Policy, in Group Policy Management Editor, go to the following path below. Please see How To Configure a Domain Password Policy, the Concept of Active Directory Computer Account, and Why should you use Veeam to protect your Microsoft 365 Data?
To do this, launch the Group Policy Management console, and create a New Policy Object
In the new GPO, enter the GPO name as desired. In my case, I will name it LAPS.
Edit the newly created LAP Policy and follow the next step below.
Find the LAPS Settings located below. You can read more about Windows LAPS Group Policies from this link.
Computer Configuration > Policies > Administrative Templates > System > LAPS
Apply policy settings
The image above shows the GPO settings have not been configured. Without this setting enabled you are effectively disabling your LAPS policy. The minimum settings require you to configure the BackupDirectory setting to the value 2 (backup passwords to Windows Server Active Directory)
This setting is ignored when Directory Services Repair Mode (DSRM) account passwords are backed up on a domain controller. In that scenario, this setting always defaults to the Domain Admins group of the domain controller's domain.1. Name of Administrator Account to Manage: If you do not configure the AdministratorAccountName setting, Windows LAPS defaults to managing the default built-in local administrator account. This built-in account is automatically identified using its well-known relative identifier (RID) and should never be identified using its name. The name of the built-in local administrator account varies depending on the default locale of the device.
If you want to configure a custom local administrator account, you should configure the AdministratorAccountName setting with the name of that account.
2. Enable Password Encryption: Enabling this setting requires that your Active Directory domain be running at Domain Functional Level 2016 or later.
2. Configure Password Backup Directory
3: Configure the Size of the Encrypted Password History
LAPS will not create the local admin account for you. You have to ensure the local admin accounts are present on the respective PCs for LAPS to update its password. The Policy Settings are self-explanatory and I will not be explaining it further.
4: Enable Password Settings
5: Do not Allow Password Expiration time longer than required by the Policy
6: Name of Administrator Password to Manage
As you can see below, I have configured some LAPS policies. This is just a test environment and as such, these might not meet your security and configuration needs. I advise you to use the settings that apply to you alone.
Link the LAPS GPO to an OU
You can move the LAPs GPO by clicking on it and dragging it to the right OU.
Alternatively. click on the OU and select link an existing OU and select the LAPS GPO.
Lastly, you could even right-click on the OU and select the option to create GPO in the domain and link it here.
How to retrieve the LAPS password with the GUI
To retrieve the Windows LAPS password for a computer you can do so directly through Active Directory Users and Computers.
Open Active Directory User and Computer (ADUC), and double-click on the computer account you want to retrieve the password for. As you can see, we have the LAPS tab but no information. This is because the policies have not been applied. But if the policy is applied and the LAPS fields are still not populated, please see this guide “Fix 0x800f0831 Error when installing Windows update“.
By default, these updates are applied every 90 minutes. To us, this is like forever, and we want these policies to be applied immediately. In this case, the GPUpdate command can be used to achieve this. Please see Group Policy GPUpdate Commands: GPUpdate, GPUpdate/force, LogOff, Boot, Wait, and Sync. Proceed to the Workstation and run the gpupdate command.
Note: If the device does not have the necessary updates as specified by Micrsoft, the LAPS fields will never be populated. I have created some articles to address the impediments I encountered in my LAB during the creation of this article. Some of them are: How to fix “LAPS password not showing up in GUI“, and how to fix 0x800f0831 and 0xc190020c Error when installing Windows update
Display Local Administrator Password Solution
Launch the ADUC console, and locate the OU to which LAPS has been linked to. Right-click on the computer object as shown below.
Select the LAPS tab, then select Show password. When you are done, you can click to hide the password.
You can Sign in to Windows with the LAPS password just to test that it works. Log in with the local admin account tester and the password that appears in LAPS for the computer object as shown in the ADUC image and PowerShell.Manage LAPS with PowerShell
The cmdlet Get-LapsADPassword will be used to reveal the LAPS password. Ensure the parameter -AsPlainText is added to the command.
I highly recommend configuring GPO to automatically reset the password after each use. You can also use PowerShell for this. The policy responsible for this is the LAPS “Post-authentication action”.
Other PowerShell Module
LAPS Module for PowerShell has been included by default in Windows as shown below. This means that we don’t have to import a new module to manage LAPS with PowerShell.
View LAPS Event Logs
Windows LAPS processes the currently active policy on a periodic basis (every hour) and responds to Group Policy change notifications. It responds based on the policy and change notifications. Take a look at the event log. Please see how to detect who disabled a user in Active Directory – Best Monitoring Tools and Software.
Application and Service Logs -> Microsoft -> Windows -> LAPS -> Operational.
Below is a video on how LAPS work. Kindly subscribe to our YouTube Channel.
I hope you found this blog post helpful on How to configure Windows LAPS. Please let me know in the comment section if you have any questions.