Versions Compared

Version Old Version 12 New Version 13
Changes made by

Geoff Nelson

Geoff Nelson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel1
typeflat

...


Windows LAPSLegacy LAPS
Password-management bitsIncluded with the April 2023 Cumulative Update for WindowsThe client-side extension must be installed on each computer.
Frequency of processing the LAPS policy cycleThis is hard-coded in Windows to 1 hour



















The Invoke-LapsPolicyProcessing PowerShell cmdlet can be used to trigger processing in addition to gpupdate /force.		Since this was a Group Policy Client-side extension, this was done at the same time as a group policy refresh.



















gpupdate /force will force the processing of Group Policy
Configuration options

Group Policy

Configuration Service Provider (such as Intune - but this option is currently not available at the University)

Group Policy
Group Policy settings locationComputer Configuration - Policies - Administrative Templates - System - LAPSComputer Configuration - Policies - Administrative Templates - LAPS
Where is the password stored in ADAll Windows LAPS attributes are confidential attributes:

msLAPS-PasswordExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set 

msLAPS-Password: A clear-text string that contains the name of the managed account, the timestamp of the password update, and the current password 

msLAPS-EncryptedPassword: The encrypted current password

msLAPS-EncryptedPasswordHistory: Contains the encrypted previous passwords (it will store as many of the previous passwords as it is configured to, which allows for a maximum of 12)

msLAPS-EncryptedDSRMPassword: This setting only pertains to Domain Controllers. 

msLAPS-EncryptedDSRMPasswordHistory: This setting only pertains to Domain Controllers. 

ms-mcs-AdmPwd: This is a confidential attribute where the password is stored

ms-mcs-AdmPwdExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set

Is the password that is stored in Active Directory encrypted?

It depends on the LAPS policy in use when the password is saved in AD.

No, it is never encrypted

Where can the password be backed up to?

Windows Server (on-prem) Active Directory or Azure Active Directory.











(Note: Currently only Windows Server Active Directory is supported at the University.)

Windows Server Active Directory only.

Who can access the password in AD

If the password is not encrypted (msLAPS-Password) you must have access to the confidential attribute in AD.

If the password is encrypted (msLAPS-EncryptedPassword, msLAPS-EncryptedPasswordHistory) you must have access to the confidential attribute in AD AND be an authorized password decryptor (refer to the Windows LAPS Policy Settings section below).
Note that each encrypted password in the password history can/may have a different decryptor.

You must have access to the confidential attribute in AD.

Access to the confidential attribute is available with any of the following delegations:

  • Department (for both Windows and legacy LAPS)
  • Computer (for both Windows and legacy LAPS)
  • ComputerWindowsLAPS (specifically for Windows LAPS)
  • ComputerLAPS (specifically for Legacy LAPS)

...

SettingDescription
Password Settings

If enabled, you can configure the following aspects of the password that is generated:

Password Complexity: Determines what type of characters are used to generate the password. The available options are:

  • Large letters
  • Large letters + small letters
  • Large letters + small letters + numbers
  • Large letters + small letters + numbers + specials
  • Large letters + small letters + numbers + specials (improved readability)
    This option is only available starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).
    With this option, the following letters are not used:  I O Q l o
    With this option, the following numbers are not used:  0 1
    With this option, only the following symbols are used:  ! # % + @ : = ? *
  • Passphrase (long words)
    This option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).
  • Passphrase (short words with unique prefixes)
    This option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).
  • Passphrase (short words)
    This option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).

The default is Large letters + small letters + numbers + specials.

Password Length: Determines how many characters the password will be in length.  This must be a number from 8 - 64.  The default value is 14.


Password Age (Days): This is the number of days that will be used to set the password expiration time.  This must be a number from 1 - 365.  The default value is 30.


Passphrase Length (words): This is the number of words that will be used in the passphrase (when Password Complexity is set to a passphrase option).  This must be a number from 3 - 10.  The default value is 6.
This option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).

Name of administrator account to manageThe name of the local administrator account whose password is managed.

Only set this if you want Windows LAPS to manage an account other than the built-in Administrator.

The default, when not specified, is the built-in Administrator (by its well-known RID).

Notes: If you specify a disabled account, the password will be managed by the account will not be enabled by LAPS.  If you specify an account that does not exist, .  If you specify an account that is not a member of the local Administrators group it will not be added to the local Administrators by LAPS.

Configure automatic account management

This option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).

When enabled, this takes precedence over the Name of administrator account to manage setting.


If enabled, you can configure the following aspects of the managed account:

Specify the target account to manage: Two options are available:

  • Manage a custom admin account
    A custom account will be managed by Windows LAPS.
  • Manage the built-in admin account
    The Built-in Administrator account will be managed by Windows LAPS (by its well-known RID).

Automatic account name (or name prefix): The name of the account that Windows LAPS will manage the password for (or the prefix on the name of the account if Randomize the name of the managed account is checked.)

Enable the managed account (checkbox): If checked, the account will be enabled by LAPS.  If unchecked, the account will be disabled by LAPS.

Randomize the name of the managed account (checkbox): If checked, the Automatic account name (or name prefix) will be treated as a prefix; a suffix of eight random numbers will be added to it. The name will also be randomized every time the password is changed.

If unchecked, the Automatic account name (or name prefix) will be treated as the account name.

Enable password encryption

If enabled, the password is encrypted before it is backed up to AD.

If disabled, the password is not encrypted before it is backed up to AD.

If not configured, the default value is Enabled.

Enable password backup for DSRM accountsThis setting only pertains to Domain Controllers.
Do not allow password expiration time longer than required by policyIf enabled, LAPS will adhere to the computer's password settings policy and the password will be reset when the password has expired based on the computer's password settings policy.  The new expiration is then set so it adheres to the computer's password settings policy.

If disabled, the expiration of the password set by LAPS could exceed the requirement of the computer's password settings policy.

If not configured, the default value is Enabled.

Configure size of encrypted password history

If enabled, you can specify how many older encrypted passwords to store in AD.  This must be a number from 0 - 12.

This setting only applies when encrypted passwords are being backed up to AD.

This setting may help out when reverting to a VM snapshot where an older password was in use at the time the snapshot was taken.

The default value, if not configured, is 0.

Configure password backup directory

Determines where the password is backed up to.

Options:

  • 0: Disabled
  • 1: Azure AD only
  • 2: Windows Server (on-prem) AD only

The default value when not specified is 0 (the password will not be backed up and therefore will not be managed by LAPS).

Note: "2: Windows Server (on-prem) AD only" is the only supported option at the University at this time.

Configure authorized password decryptorsWhen enabled, you will specify the user or group that is authorized to decrypt the encrypted password in AD.

You must provide one of the following as the decryptor

  • The SID of the group or user
  • The name of the group or user in the following format: AUSTIN\<name>

Warning: If the device cannot resolve the SID or name provided, the password will not be backed up.

This setting only applies when encrypted passwords are being backed up to AD.

The default value when not specified is the Domain Admins group.

Post-authentication actions

Specify an action that will be triggered after the successful authentication of the account whose password is being managed.

The available actions are:

  • Take no actions
  • Reset the password
  • Reset the password and logoff the managed account
  • Reset the password and reboot the device
  • Reset the password, logoff the managed account, and terminate any remaining processes
    This fifth option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).

Set the grace period to the time you want it to wait after the authentication before the action is triggered.

The grace period must be set greater than 0; if set to 0 the action will not be triggered.

If this setting is disabled or not configured, the default behaviour will apply which is to reset the password and logoff the managed account after 24 hours.
If you want it to take no action, enable this setting and select Take no actions.

...

CmdletDescription
Get-LapsAdPasswordGets the escrowed password(s) from Windows Server Active Directory.









Review the Retrieving a LAPS Password section above for details and examples.
Invoke-LapsPolicyProcessingInitiates the processing of the current LAPS policy, independent of the hourly processing cycle).
Reset-LapsPasswordAttempts to immediately change the managed account's password (whether or not it has expired).

...

Panel
borderColorblack
borderWidth1
borderStylesolid
titleQ12: How can Windows LAPS be completely disabled?

A12:  In order to completely disable Windows LAPS (prevent it from managing a password), Configure password backup directory should be set to Disabled.  Even though this is the default behaviour if when not configured, you should consider using a GPO that explicitly sets it to Disabled to keep it disabled in the scenario where a GPO enabling LAPS is (either currently or later) linked higher up in the OU structure.


Panel
borderColorblack
borderWidth1
borderStylesolid
titleQ13: Is there an overview of what is new with Windows LAPS in 24H2 Operating Systems?

A13: The article What's New in Windows LAPS for 24H2 Operating Systems Share What's New in Windows LAPS for 24H2 Operating Systems provides an overview of what changes were introduced to Windows LAPS in 24H2.

...