Windows LAPS (Local Administrator Password Solution) allows you to centrally manage the passwords for the local administrators on the computers in your AD domain. The current local administrator password is stored in the protected attributes of computer objects in Active Directory, is automatically changed regularly, and can be viewed by authorized users.
In this guide, we’ll show you how to configure and use Windows LAPS to manage the local administrator password on computers joined to an AD domain.
Contents:
- New Built-in Windows LAPS Overview
- Deploying Local Administrator Password Solution in Active Directory Domain
- Configure GPO to Change Local Administrator Passwords
- LAPS: Get a Local Administrator Password on Windows
Until April 2023, you should manually download the LAPS MSI installation file, deploy the administrator or client components to computers, install ADMX GPO templates for LAPS, and extend the AD schema
Updates adding native support for the new version of LAPS in Windows were released in April 2023. You no longer need to manually download and install the MSI package to use LAPS.
New Built-in Windows LAPS Overview
The following cumulative updates in April 2023 added native support for Windows LAPS:
- Windows 11 22H2 – KB5025239
- Windows 11 21H2 – KB5025224
- Windows 10 22H2 — KB5025221
- Windows Server 2022 – KB5025230
- Windows Server 2019 – KB5025229
What’s new in Windows LAPS?
- All the components of the new LAPS are part of Windows;
- Allows storing administrator passwords in on-premises Active Directory or in Azure AD;
- DSRM (Directory Services Restore Mode) password management on AD domain controllers;
- Support for password encryption;
- Password history;
- Allow the local administrator password to be automatically changed after it has been used to log on to the computer locally.
At least Windows Server 2016 domain functional level is required for the new version of Windows LAPS.
As we mentioned above, you no longer need to manually download and install the LAPS client or Group Policy client-side extension (CSE). All the necessary LAPS components are available in Windows after you install the April updates.
The following Windows LAPS management tools are available:
- New ADMX group policy file;
- A separate LAPS tab in computer properties in Active Directory Users and Computers (ADUC) console;
- Windows LAPS PowerShell module;
- Separate log in the Event Viewer: Application and Service Logs -> Microsoft -> Windows -> LAPS -> Operational.
Microsoft notes that you must disable the Group Policies and remove the settings from the previous version of LAPS (legacy MSI) before deploying the new LAPS GPO. To do this, stop new installations of legacy LAPS and remove all settings in the following registry key HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State.
Events with the following Event IDs will appear in the Event Viewer if the legacy version of LAPS is not removed:
- Event ID 10033, LAPS — The machine is configured with legacy LAPS policy settings, but legacy LAPS product appears to be installed. The configured account’s password will not be managed by Windows until the legacy product is uninstalled. Alternatively, you may consider configuring the newer LAPS policy settings.
- Event 10031, LAPS — LAPS blocked an external request that tried to modify the password of the current manager account.
Deploying Local Administrator Password Solution in Active Directory Domain
You can start deploying the new version of LAPS after you have installed the new updates on all domain controllers.
To manage the Local Administrator Password Solution, use the PowerShell cmdlets from the LAPS module. You can use the following commands:
Get-Command -Module LAPS
- Get-LapsAADPassword
- Get-LapsDiagnostics
- Find-LapsADExtendedRights
- Get-LapsADPassword
- Invoke-LapsPolicyProcessing
- Reset-LapsPassword
- Set-LapsADAuditing
- Set-LapsADComputerSelfPermission
- Set-LapsADPasswordExpirationTime
- Set-LapsADReadPasswordPermission
- Set-LapsADResetPasswordPermission
- Update-LapsADSchema
After installing updates on DCs and clients, you must perform an AD schema update. This will add new attributes. Run the command:
Update-LapsADSchema
If not all DCs have been updated, the command will return an error:
Update-LapsADSchema : A local error occurred.
The following attributes will be added to the AD schema:
- msLAPS-PasswordExpirationTime
- msLAPS-Password
- msLAPS-EncryptedPassword
- msLAPS-EncryptedPasswordHistory
- msLAPS-EncryptedDSRMPassword
- msLAPS-EncryptedDSRMPasswordHistory
The attributes used in the previous version to store the password are not used in Windows LAPS (ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime).
Open the ADUC console (dsa.msc
), select any computer in AD, and go to the AD object Attribute Editor tab. Check that the object now has new attributes available.
The msLAPS*
attributes are not yet populated.
You must now allow computers in the specified Organizational Unit (OU) to update msLAPS* attributes in their AD account properties.
For example, I want to allow computers in a MUN container to update passwords stored in AD attributes.
Set-LapsADComputerSelfPermission -Identity "OU=Computers,OU=MUN,OU=DE,DC=woshub,DC=com"
Let’s use PowerShell to create a domain security group that can view local administrator passwords on computers in this OU:
New-ADGroup MUN-LAPS-Admins -path 'OU=Groups,OU=MUN,OU=DE,DC=woshub,DC=com' -GroupScope local -PassThru –Verbose
Add-AdGroupMember -Identity MUN-LAPS-Admins -Members a.morgan,b.krauz
We will allow this group to view and reset the local admin password:
$ComputerOU = "OU=Computers,OU=MUN,OU=DE,DC=woshub,DC=com"
Set-LapsADReadPasswordPermission –Identity $ComputerOU –AllowedPrincipals MUN-LAPS-Admins
Set-LapsADResetPasswordPermission -Identity $ComputerOU -AllowedPrincipals MUN-LAPS-Admins
By default, members of the Domain Admins group can view local administrator passwords on all AD computers.
Use the Find-LapsADExtendedRights command to check the current permissions to LAPS attributes in an OU.
Configure GPO to Change Local Administrator Passwords
A new set of administrative templates for managing the LAPS configuration via GPO will appear when you install the latest updates on Windows (%systemroot%\PolicyDefinitions\laps.admx).
Copy LAPS.admx to the following location if you are using a Central GPO store for the ADMX templates: \\woshub.com\SysVol\woshub.com\Policies\PolicyDefinitions
.
The next GPO section contains the LAPS options: Computer Configuration -> Policies -> Administrative Templates -> System -> LAPS. The following LAPS group policy options are available here:
- Enable password backup for DSRM accounts
- Configure size of encrypted password history
- Enable password encryption
- Configure authorized password descriptors
- Name of administrator account to manage
- Configure password backup directory
- Do not allow password expiration time longer than required by policy
- Password Settings
- Post-authentication actions
Let’s try to enable the minimum Group Policy LAPS settings for the Active Directory domain
- Open the Group Policy Management console (
gpmc.msc
), create a new GPO and link it to the OU containing the computers; - Open a new GPO and navigate to the section that contains the LAPS options;
- Enable the Configure password backup directory policy and set Active Directory here. This policy allows the administrator password to be stored in the computer account attribute in the on-premises Active Directory;
Windows LAPS also allows you to store passwords in the Azure Active Directory (AAD) instead of in the local ADDS.
- Then enable the Password Settings option. Here you must specify the password complexity, length, and change frequency parameters;
The following LAPS password settings are enabled by default: password complexity, 14-character password length, and password change every 30 days.
- Specify the name of the local administrator account whose password you want to change in Name of administrator account to manage. If you are using the built-in Windows Administrator, type Administrator here.
The LAPS GPO does not create any local administrator accounts. If you want to use another administrator account, create it on computers using GPO or PowerShell.
- Restart your computer to apply the new GPO settings.
LAPS: Get a Local Administrator Password on Windows
After implementing LAPS group policies, Windows changes the local administrator password at startup and then writes it to the msLAPS-Password protected attribute on the computer object in AD. You can get the current password for the computer in the ADUC console or by using PowerShell.
Open the ADUC console and search for the computer for which you want to find out the current password of the local administrator. A new LAPS tab has appeared in the Computer object properties.
The following info is displayed on this tab:
- Current LAPS password expiration
- LAPS local admin account name
- LAPS local admin account password
You can also use PowerShell to get the computer’s current administrator password:
Get-LapsADPassword mun-pc221 -AsPlainText
ComputerName : mun-pc221DistinguishedName : CN=mun-pc221,OU=…Account : administratorPassword : 3f!lD1.23!l32PasswordUpdateTime : 4/24/2023 11:14:26 AMExpirationTimestamp : 5/24/2023 11:14:26 AMSource : EncryptedPasswordDecryptionStatus : SuccessAuthorizedDecryptor : WOSHUB\Domain Admins
Use this password to log on locally to this computer as an administrator.
To immediately rotate the LAPS password for the local admin account, run the command:
Reset-LapsPassword
This will force an immediate password change for the currently logged local administrator account and write the new password to AD.
Windows Local Administrator Password Solution is a simple, built-in feature that allows you to improve the security of using local administrator accounts on domain computers. LAPS stores the current administrator password in a secure AD attribute and changes it on all computers regularly.