Versions Compared

Version Old Version 6 New Version 7
Changes made by

Geoff Nelson

Geoff Nelson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel1
typeflat

...


Windows LAPSLegacy LAPS
Password-management bitsIncluded with the April 2023 Cumulative Update for WindowsThe client-side extension must be installed on each computer.
Frequency of processing the LAPS policy cycleThis is hard-coded in Windows to 1 hour

The Invoke-LapsPolicyProcessing PowerShell cmdlet can be used to trigger processing in addition to gpupdate /force.		Since this iss a Group Policy Client-side extension, this iss done at the same time as a group policy refresh.

gpupdate /force will force the processing of Group Policy
Configuration options

Group Policy

Configuration Service Provider (such as Intune - but this option is currently not available at the University)

Group Policy
Group Policy settings locationComputer Configuration - Policies - Administrative Templates - System - LAPSComputer Configuration - Policies - Administrative Templates - LAPS
Where is the password stored in ADAll Windows LAPS attributes are confidential attributes:

msLAPS-PasswordExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set 

msLAPS-Password: A clear-text string that contains the name of the managed account, the timestamp of the password update, and the current password 

msLAPS-EncryptedPassword: The encrypted current password

msLAPS-EncryptedPasswordHistory: Contains the encrypted previous passwords (it will store as many of the previous passwords as it is configured to, which allows for a maximum of 12)

msLAPS-EncryptedDSRMPassword: This setting only pertains to Domain Controllers. 

msLAPS-EncryptedDSRMPasswordHistory: This setting only pertains to Domain Controllers. 

ms-mcs-AdmPwd: This is a confidential attribute where the password is stored

ms-mcs-AdmPwdExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set

Is the password that is stored in Active Directory encrypted?

It depends on the LAPS policy in use when the password is saved in AD.

No, it is never encrypted

Where can the password be backed up to?

Windows Server (on-prem) Active Directory or Azure Active Directory.


(Note: Currently only Windows Server Active Directory is supported at the University.)

Windows Server Active Directory only.

Who can access the password in AD

If the password is not encrypted (msLAPS-Password) you must have access to the confidential attribute in AD.

If the password is encrypted (msLAPS-EncryptedPassword, msLAPS-EncryptedPasswordHistory) you must have access to the confidential attribute in AD AND be an authorized password decryptor (refer to the Windows LAPS Policy Settings section below).
Note that each encrypted password in the password history can/may have a different decryptor.

You must have access to the confidential attribute in AD.

Access to the confidential attribute is available with any of the following delegations:

  • Department (for both Windows and legacy LAPS)
  • Computer (for both Windows and legacy LAPS)
  • ComputerWindowsLAPS (specifically for Windows LAPS)
  • ComputerLAPS (specifically for Legacy LAPS)

...

  1. Use the Get-LapsPassword cmdlet

    Get-LapsADPassword -Identity <computername>

    will return the current password in a Secure String object.

    The Account property shows the managed account name.

    The Password property contains the password.

    The PasswordUpdateTime shows when the password was updated.

    The ExpirationTimestamp shows when the current password expires/when a new password will be required.

    The DecryptionStatus property will show Success if you are allowed to decrypt the password.  It will show Unauthorized if you are not.

    The AuthorizedDecryptor property will show the user or group that can decrypt the password.

    Note: When using tab-completion it is easy to accidentally run the Get-LapsAADPassword instead.  This is the cmdlet used to retrieve the password from Azure Active Directory.

  2. Or to get the password in cleartext

    Get-LapsAdPassword -Identity <computername> -AsPlainText

    will return the current password in plain text.

  3. Or to get the password history in plain text

    Get-LapsAdPassword -Identity <computername> -AsPlainText -IncludeHistory

    will return the password history in plain text

    The number of passwords in the password history depends on the LAPS policy applied and how many times the password has been changed by LAPS.

    Each password in the password history can have a different Authorized Decryptor, depending on what was specified in the policy when the password was encrypted and stored in AD.


    The AuthorizedDecryptor shows who can decrypt the password.

    The DecryptiomStatus shows whether the password was successfully decrypted for the user running the cmdlet.

    In this example, the user running the cmdlet can see the latest password as they are a member of the Authorized Dectryptors.  They cannot see the previous password as the Authorized Dectryptors for it is a different group that the user is not a member of.

Windows Event Log

A new Windows Event Log channel has been created for Windows LAPS.

In Event Viewer, navigate to: Application and Services Logs - Microsoft - Windows - LAPS - Operational.

If you forward this event log to Splunk, dashboards will be available soon in UTSplunk.

PowerShell Module

Below are some helpful cmdlets included in the LAPS PowerShell module.

...


PowerShell Module

Below are some helpful cmdlets included in the LAPS PowerShell module.

CmdletDescription
Get-LapsAdPasswordGets the escrowed password(s) from Windows Server Active Directory.
Review the Retrieving a LAPS Password section above for details and examples.
Invoke-LapsPolicyProcessingInitiates the processing of the current LAPS policy, independent of the hourly processing cycle).
Reset-LapsPasswordAttempts to immediately change the managed account's password (whether or not it has expired).


Windows Event Log

A new Windows Event Log channel has been created for Windows LAPS.

In Event Viewer, navigate to: Application and Services Logs - Microsoft - Windows - LAPS - Operational.

If you forward this event log to Splunk, dashboards are available in UTSplunk.


Splunk Dashboards

Do not bookmark the following links as they are subject to change until the final dashboards are published (after which this disclaimer will be removed):

Windows LAPS - Overview

Windows LAPS - Errors

...