Windows Local Administrator Password Solution (LAPS) Overview
What is Windows LAPS?
Windows LAPS (Local Administrator Password Solution) automatically manages a local administrator account's password: changing the password when it expires (using password length and complexity settings) and backing up the password to Active Directory so it is available for authorized users to retrieve.
Windows LAPS was made available with the April 2023 Cumulative Update for the following Operating Systems:
- Windows 11 22H2
- Windows 11 21H2
- Windows 10 (those editions still supported by Microsoft)
- Windows Server 2022
- Windows Server 2019
Windows LAPS is not available for Windows Server 2016, but you can continue to use legacy LAPS with it.
Windows LAPS is a whole new solution for managing the local administrator password and is not just an update of the legacy LAPS solution that was originally released in 2015. It includes much of the same functionality of legacy LAPS, and also includes several new features:
- Supports encrypting passwords stored in AD
- Can store password history in AD (for encrypted passwords only)
Windows LAPS became available in the Austin domain on the evening of Friday 23 June 2023.
Comparing Windows LAPS and Legacy LAPS
| Comparing Windows LAPS and Legacy LAPS | ||
| Windows LAPS | Legacy LAPS | |
| Password-management bits | Included with the April 2023 Cumulative Update for Windows | The client-side extension must be installed on each computer. |
| Frequency of processing the LAPS policy cycle | This is hard-coded in Windows to 1 hour The Invoke-LapsPolicyProcessing PowerShell cmdlet can be used to trigger processing in addition to gpupdate /force. |
Since this was a Group Policy Client-side extension, this was done at the same time as a group policy refresh. gpupdate /force will force the processing of Group Policy |
| Configuration options |
Group Policy Configuration Service Provider (such as Intune - but this option is currently not available at the University) |
Group Policy |
| Group Policy settings location | Computer Configuration - Policies - Administrative Templates - System - LAPS | Computer Configuration - Policies - Administrative Templates - LAPS |
| Where is the password stored in AD |
All Windows LAPS attributes are confidential attributes: msLAPS-PasswordExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set msLAPS-Password: A clear-text string that contains the name of the managed account, the timestamp of the password update, and the current password msLAPS-EncryptedPassword: The encrypted current password msLAPS-EncryptedPasswordHistory: Contains the encrypted previous passwords (it will store as many of the previous passwords as it is configured to, which allows for a maximum of 12) msLAPS-EncryptedDSRMPassword: This setting only pertains to Domain Controllers. msLAPS-EncryptedDSRMPasswordHistory: This setting only pertains to Domain Controllers. |
ms-mcs-AdmPwd: This is a confidential attribute where the password is stored ms-mcs-AdmPwdExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set |
| Is the password that is stored in Active Directory encrypted? |
It depends on the LAPS policy in use when the password is saved in AD. |
No |
| Where can the password be backed up to? |
Windows Server (on-prem) Active Directory or Azure Active Directory.
|
Windows Server Active Directory only. |
| Who can access the password in AD |
If the password is not encrypted (msLAPS-Password) you must have access to the confidential attribute in AD. If the password is encrypted (msLAPS-EncryptedPassword, msLAPS-EncryptedPasswordHistory) you must have access to the confidential attribute in AD AND be an authorized password decryptor (refer to the Windows LAPS Policy Settings section below). |
You must have access to the confidential attribute in AD. |
|
Access to the confidential attribute is available with any of the following delegations:
|
||
Prerequisites for Using Windows LAPS
- The computer object must have permissions to write its password to itself in Active Directory (This is in place for Department OUs located under austin.utexas.edu/Departments. If you have a Department OU under Affiliated Units or Colleges & Schools, you should start the process to move to Departments.
- The computer must be running an Operating System for which Windows LAPS is available.
- The computer must be updated with the April 2023 Cumulative Update for Windows or later.
- The computer must have a Windows LAPS policy assigned to it (using Group Policy).
- The computer must be able to reach a Domain Controller (be on UTNet or connected to VPN).
Windows LAPS Policy Settings
The following settings are located in Computer Configuration - Policies - Administrative Templates - System - LAPS:
| Setting | Description |
| Password Settings |
If enabled, you can configure the following aspects of the password that is generated: Password Complexity: Determines what type of characters are used to generate the password. The available actions are:
Password Length: Determines how many characters the password will be in length. This must be a number from 8 - 64. The default value is 14.
Password Age (Days): This is the number of days that will be used to set the password expiration time. This must be a number from 1 - 365. The default value is 30. |
| Name of administrator account to manage |
The name of the local administrator account whose password is managed. Only set this if you want Windows LAPS to manage an account other than the built-in Administrator. The default, when not specified, is the built-in Administrator (by its well-known RID). |
| Enable password encryption |
If enabled, the password is encrypted before it is backed up to AD. If disabled, the password is not encrypted before it is backed up to AD. If not configured, the default value is Enabled. |
| Enable password backup for DSRM accounts | This setting only pertains to Domain Controllers. |
| Do not allow password expiration time longer than required by policy |
If enabled, LAPS will adhere to the computer's password settings policy and the password will be reset when the password has expired based on the computer's password settings policy. The new expiration is then set so it adheres to the computer's password settings policy. If disabled, the expiration of the password set by LAPS could exceed the requirement of the computer's password settings policy. If not configured, the default value is Enabled. |
| Configure size of encrypted password history |
If enabled, you can specify how many older encrypted passwords to store in AD. This must be a number from 0 - 12. This setting only applies when encrypted passwords are being backed up to AD. This setting may help out when reverting to a VM shapshot where an older password was in use at the time the snapshot was taken. |
| Configure password backup directory |
Determines where the password is backed up to. Options:
The default value when not specified is 0 (the password will not be backed up). Note: 2: Windows Server (on-prem) AD only is the only supported option at the University at this time. |
| Configure authorized password decryptors |
When enabled, you will specify the user or group that is authorized to decrypt the encrypted password in AD. You must provide one of the following as the decryptor
Warning: If the device cannot resolve the SID or name provided, the password will not be backed up. This setting only applies when encrypted passwords are being backed up to AD. The default value when not specified is the Domain Admins group. |
| Post-authentication actions |
Specify an action that will be triggered after the successful authentication of the account whose password is being managed. The available actions are:
Set the grace period to the time you want it to wait after the authentication before the action is triggered. The grace period must be set greater than 0; if set to 0 the action will not be triggered. If this setting is disabled or not configured, the default behaviour will apply which is to reset the password and logoff the managed account after 24 hours. |
Retrieving a LAPS Password
There are several methods to retrieve the LAPS password.
Using the Active Directory Users and Computers (ADUC) Console
- Open the Properties for the computer.
- Select the LAPS tab.
On the LAPS tab of the computer's Properties page:
- The Current LAPS password expiration is displayed.
- You can specify a new password expiration.
After specifying the new expiration click OK or Apply. - You can make the password expire now by clicking on the Expire now button and then clicking on OK or Apply.
This will set the expiration to the current date and time.
The password will not actually be changed immediately on the computer, but when it next processes LAPS policy. - The LAPS local admin account name is displayed.
- The LAPS local admin account password is masked by default
- Clicking Copy password will put the clear-text password on your clipboard without unmasking it here.
- Clicking Show password will display the password in clear text here.
Note: You cannot view the password history from here. You must use PowerShell to access the password history.
Using Active Directory Administration Center
- Open the properties for the computer.
- Scroll down to the Extensions.
- Select the LAPS tab.
The LAPS tab is available just as it would appear in ADUC. Refer to the ADUC section above for details.
Using PowerShell
You can retrieve the LAPS password using the Get-LapsADPassword cmdlet.
- Use the Get-LapsPassword cmdlet
Get-LapsADPassword -Identity <computername>
will return the current password in a Secure String object.
The Account property shows the managed account name.
The Password property contains the password.
The PasswordUpdateTime shows when the password was updated.
The ExpirationTimestamp shows when the current password expires/when a new password will be required.
The DecryptionStatus property will show Success if you are allowed to decrypt the password. It will show Unauthorized if you are not.
The AuthorizedDecryptor property will show the user or group that can decrypt the password.
Note: When using tab-completion it is easy to accidentally run the Get-LapsAADPassword instead. This is the cmdlet used to retrieve the password from Azure Active Directory.
- Or to get the password in cleartext
Get-LapsAdPassword -Identity <computername> -AsPlainText
will return the current password in plain text.
- Or to get the password history in plain text
Get-LapsAdPassword -Identity <computername> -AsPlainText -IncludeHistory
will return the password history in plain text
The number of passwords in the password history depends on the LAPS policy applied and how many times the password has been changed by LAPS.
Each password in the password history can have a different Authorized Decryptor, depending on what was specified in the policy when the password was encrypted and stored in AD.
The AuthorizedDecryptor shows who can decrypt the password.The DecryptiomStatus shows whether the password was successfully decrypted for the user running the cmdlet.
In this example, the user running the cmdlet can see the latest password as they are a member of the Authorized Dectryptors. They cannot see the previous password as the Authorized Dectryptors for it is a different group that the user is not a member of.
Windows Event Log
A new Windows Event Log channel has been created for Windows LAPS.
In Event Viewer, navigate to: Application and Services Logs - Microsoft - Windows - LAPS - Operational.
If you forward this event log to Splunk, dashboards will be available soon in UTSplunk.
PowerShell Module
Below are some helpful cmdlets included in the LAPS PowerShell module.
| Cmdlet | Description |
| Get-LapsAdPassword | Gets the escrowed password(s) from Windows Server Active Directory. Review the Retrieving a LAPS Password section above for details and examples. |
| Invoke-LapsPolicyProcessing | Initiates the processing of the current LAPS policy, independent of the hourly processing cycle). |
| Reset-LapsPassword | Attempts to immediately change the managed account's password (whether or not it has expired). |
Frequently Asked Questions
Q1: Can I initiate a password change ahead of the expiration time?
A1: There are a couple of ways to have the managed password changed:
- Use the Reset-LapsPassword cmdlet, which will result in LAPS attempting to reset the password immediately.
- Edit the password expiration for the computer to the current time, which will result in the password being reset the next time LAPS policy is processed on the computer.
Q2: What happens if the computer cannot reach a Domain Controller when the password expires? Will the password be set without the new password being backed up in AD?
A2: As with legacy LAPS, Windows LAPS will first escrow the new password in Active Directory. Only if that is successful with the password actually be changed on the computer.
Q3: Who can decrypt an encrypted password in Active Directory?
A3: This is specified by the user or group set as the authorized password decryptors in the LAPS policy at the time the password was stored in AD.
Is this setting was not set, the decryptors default to the Domain Admins.
Q4: What happens to the password and password expiration stored in Active Directory when Windows LAPS manages the password?
A4: The attributes used by legacy LAPS are not modified by Windows LAPS. After Windows LAPS starts to manage the account's password the legacy LAPS attributes will remain intact. Windows LAPS does not clear out the Legacy LAPS attributes.
This can be confusing, having two sets of password attributes, but you should avoid programmatically clearing out all of the legacy LAPS attributes on all of your computers without verifying they are no longer valid. You could be clearing out currently-set passwords making them unavailable (Windows LAPS is not available for Windows Server 2016 which will continue to use legacy LAPS if enabled. Windows LAPS may not have changed the password yet if there is no Windows LAPS policy assigned to the computer).
Q5: What will happen if a computer has both a legacy LAPS and Windows LAPS policy applied to it?
A5: Windows LAPS will manage the password.
Q6: Will Windows LAPS save both an unencrypted and encrypted password to AD?
A6: No, Windows LAPS will store only an encrypted password or unencrypted password based on the computer's policy settings.
Q7: What will happen if the account I specify as the Name of administrator account to manage does not exist?
A7: Windows LAPS policy processing will fail. It can not manage an account that does not exist. This scenario can lead you to being locked out of the computer / not having a way to get admin access to it.
Coming soon, this will be shown on a Splunk dashboard.
Q8: What will happen if the account I specify as the Name of administrator account to manage is disabled?
A8: Windows LAPS policy processing will succeed. It will manage the account's password, but it will not enable the account. The account must be enabled before it can be used. This scenario can lead you to being locked out of the computer / not having a way to get admin access to it.
Coming soon, this will be shown on a Splunk dashboard.
Q9: What will happen if the account I specify as the Name of administrator account to manage is not a member of the local Administrators group?
A9: Windows LAPS policy processing will succeed. It will manage the account's password, but it will not add it to the Administrators group. This scenario can lead you to being locked out of the computer / not having a way to get admin access to it.
Q10: Can the password of more than one account be managed by Windows LAPS?
A10: No, only one account can be managed.
Q11: Should I remove (delete or unlink) my GPO(s) that configure Legacy LAPS?
A11: To "clean things up", you can unlink or delete any GPOs that configure Legacy LAPS as long as you do not have any computers running an operating system that Windows LAPS is not available on. If you need to keep using Legacy LAPS for older operating systems, you can optionally use filtering (security filtering or WMI filtering) on the GPO to have it only apply to these computers - although you do not need to do anything as Windows LAPS will manage the password in the scenario where Windows LAPS and Legacy LAPS are both enabled.