Versions Compared

Version Old Version 16 New Version Current
Changes made by

Geoff Nelson

Geoff Nelson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel1
typeflat

...


Windows LAPS

Legacy LAPS

Password-management bits

Included with the April 2023 Cumulative Update for Windows

The client-side extension must be installed on each computer.

Frequency of processing the LAPS policy cycle

This is hard-coded in Windows to 1 hour





















The Invoke-LapsPolicyProcessing PowerShell cmdlet can be used to trigger processing in addition to gpupdate /force.

Since this was a Group Policy Client-side extension, this was done at the same time as a group policy refresh.





















gpupdate /force will force the processing of Group Policy

Configuration options

Group Policy

Configuration Service Provider (such as Intune - but this option is currently not available at the University)

Group Policy

Group Policy settings location

Computer Configuration - Policies - Administrative Templates - System - LAPS

Computer Configuration - Policies - Administrative Templates - LAPS

Where is the password stored in AD

All Windows LAPS attributes are confidential attributes:

msLAPS-PasswordExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set 

msLAPS-Password: A clear-text string that contains the name of the managed account, the timestamp of the password update, and the current password 

msLAPS-EncryptedPassword: The encrypted current password

msLAPS-EncryptedPasswordHistory: Contains the encrypted previous passwords (it will store as many of the previous passwords as it is configured to, which allows for a maximum of 12)

msLAPS-EncryptedDSRMPassword: This setting only pertains to Domain Controllers. 

msLAPS-EncryptedDSRMPasswordHistory: This setting only pertains to Domain Controllers. 

ms-mcs-AdmPwd: This is a confidential attribute where the password is stored

ms-mcs-AdmPwdExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set

Is the password that is stored in Active Directory encrypted?

It depends on the LAPS policy in use when the password is saved in AD.

No, it is never encrypted

Where can the password be backed up to?

Windows Server (on-prem) Active Directory or Azure Active Directory.












(Note: Currently only Windows Server Active Directory is supported at the University.)

Windows Server Active Directory only.

Who can access the password in AD

If the password is not encrypted (msLAPS-Password) you must have access to the confidential attribute in AD.

If the password is encrypted (msLAPS-EncryptedPassword, msLAPS-EncryptedPasswordHistory) you must have access to the confidential attribute in AD AND be an authorized password decryptor (refer to the Windows LAPS Policy Settings section below).
Note that each encrypted password in the password history can/may have a different decryptor.

You must have access to the confidential attribute in AD.

Access to the confidential attribute is available with any of the following delegations:

  • Department (for both Windows and legacy LAPS)

  • Computer (for both Windows and legacy LAPS)

  • ComputerWindowsLAPS (specifically for Windows LAPS)

  • ComputerLAPS (specifically for Legacy LAPS)

...

Setting

Description

Password Settings

If enabled, you can configure the following aspects of the password that is generated:

Password Complexity: Determines what type of characters are used to generate the password. The available options are:

  • Large letters

  • Large letters + small letters

  • Large letters + small letters + numbers

  • Large letters + small letters + numbers + specials

  • Large letters + small letters + numbers + specials (improved readability)
    This option is only available starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).
    With this option, the following letters are not used:  I O Q l o
    With this option, the following numbers are not used:  0 1
    With this option, only the following symbols are used:  ! # % + @ : = ? *

  • Passphrase (long words)
    This option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).

  • Passphrase (short words with unique prefixes)
    This option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).

  • Passphrase (short words)
    This option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).

The default is Large letters + small letters + numbers + specials.

Password Length: Determines how many characters the password will be in length.  This must be a number from 8 - 64.  The default value is 14.


Password Age (Days): This is the number of days that will be used to set the password expiration time.  This must be a number from 1 - 365.  The default value is 30.


Passphrase Length (words): This is the number of words that will be used in the passphrase (when Password Complexity is set to a passphrase option).  This must be a number from 3 - 10.  The default value is 6.
This option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).

Name of administrator account to manage

The name of the local administrator account whose password is managed.

Only set this if you want Windows LAPS to manage an account other than the built-in Administrator.

The default, when not specified, is the built-in Administrator (by its well-known RID).

Notes: If you specify a disabled account, the password will be managed by the account will not be enabled by LAPS.  If you specify an account that does not exist, .  If you specify an account that is not a member of the local Administrators group it will not be added to the local Administrators by LAPS.

Configure automatic account management

This option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).

When enabled, this takes precedence over the Name of administrator account to manage setting.


If enabled, you can configure the following aspects of the managed account:

Specify the target account to manage: Two options are available:

  • Manage a custom admin account
    A custom account will be managed by Windows LAPS.

  • Manage the built-in admin account
    The Built-in Administrator account will be managed by Windows LAPS (by its well-known RID).

Automatic account name (or name prefix): The name of the account that Windows LAPS will manage the password for (or the prefix on the name of the account if Randomize the name of the managed account is checked.)

Enable the managed account (checkbox): If checked, the account will be enabled by LAPS.  If unchecked, the account will be disabled by LAPS.

Randomize the name of the managed account (checkbox): If checked, the Automatic account name (or name prefix) will be treated as a prefix; a suffix of eight random numbers will be added to it. The name will also be randomized every time the password is changed.

If unchecked, the Automatic account name (or name prefix) will be treated as the account name.

Enable password encryption

If enabled, the password is encrypted before it is backed up to AD.

If disabled, the password is not encrypted before it is backed up to AD.

If not configured, the default value is Enabled.

Enable password backup for DSRM accounts

This setting only pertains to Domain Controllers.

Do not allow password expiration time longer than required by policy

If enabled, LAPS will adhere to the computer's password settings policy and the password will be reset when the password has expired based on the computer's password settings policy.  The new expiration is then set so it adheres to the computer's password settings policy.

If disabled, the expiration of the password set by LAPS could exceed the requirement of the computer's password settings policy.

If not configured, the default value is Enabled.

Configure size of encrypted password history

If enabled, you can specify how many older encrypted passwords to store in AD.  This must be a number from 0 - 12.

This setting only applies when encrypted passwords are being backed up to AD.

This setting may help out when reverting to a VM snapshot where an older password was in use at the time the snapshot was taken.

The default value, if not configured, is 0.

Configure password backup directory

Determines where the password is backed up to.

Options:

  • 0: Disabled

  • 1: Azure AD only

  • 2: Windows Server (on-prem) AD only

The default value when not specified is 0 (the password will not be backed up or managed by LAPS).

Note: "2: Windows Server (on-prem) AD only" is the only supported option at the University at this time.

Configure authorized password decryptors

When enabled, you will specify the user or group that is authorized to decrypt the encrypted password in AD.

You must provide one of the following as the decryptor

  • The SID of the group or user

  • The name of the group or user in the following format: AUSTIN\<name>

Warning: If the device cannot resolve the SID or name provided, the password will not be backed up.

This setting only applies when encrypted passwords are being backed up to AD.

The default value when not specified is the Domain Admins group.

Post-authentication actions

Specify an action that will be triggered after the successful authentication of the account whose password is being managed.

The available actions are:

  • Take no actions

  • Reset the password

  • Reset the password and logoff the managed account

  • Reset the password and reboot the device

  • Reset the password, logoff the managed account, and terminate any remaining processes
    This fifth option is only applicable starting with 24H2 operating systems (Windows 11 24H2 and Server 2025).

Set the grace period to the time you want it to wait after the authentication before the action is triggered.

The grace period must be set greater than 0; if set to 0 the action will not be triggered.

If this setting is disabled or not configured, the default behaviour will apply which is to reset the password and logoff the managed account after 24 hours.
If you want it to take no action, enable this setting and select Take no actions.

...

  1. Open the Properties for the computer.

  2. Select the LAPS tab.Image Removed

    ADUC-Laps-Tab.pngImage Added

    On the LAPS tab of the computer's Properties page:

    • The Current LAPS password expiration is displayed.

    • You can specify a new password expiration.
      After specifying the new expiration click OK or Apply.

    • You can make the password expire now by clicking on the Expire now button and then clicking on OK or Apply.
      This will set the expiration to the current date and time.
      The password will not actually be changed immediately on the computer, but when it next processes LAPS policy.

    • The LAPS local admin account name is displayed.

    • The LAPS local admin account password is masked by default 

      • Clicking Copy password will put the clear-text password on your clipboard without unmasking it here.

      • Clicking Show password will display the password in clear text here.

    Note: You cannot view the password history from here.  You must use PowerShell to access the password history.

...

  1. Open the properties for the computer.

  2. Scroll down to the Extensions.

  3. Select the LAPS tab.

    Image RemovedADAC-Extensions-LAPS-Tab.pngImage Added

    The LAPS tab is available just as it would appear in ADUC.  Refer to the ADUC section above for details.

...

  1. Use the Get-LapsPassword cmdletImage Removed

    PS-LAPS-Password.pngImage Added

    Get-LapsADPassword -Identity <computername>
    will return the current password in a Secure String object.

    The Account property shows the managed account name.

    The Password property contains the password.

    The PasswordUpdateTime shows when the password was updated.

    The ExpirationTimestamp shows when the current password expires/when a new password will be required.

    The DecryptionStatus property will show Success if you are allowed to decrypt the password.  It will show Unauthorized if you are not.

    The AuthorizedDecryptor property will show the user or group that can decrypt the password.

    Note: When using tab-completion it is easy to accidentally run the Get-LapsAADPassword instead.  This is the cmdlet used to retrieve the password from Azure Active Directory.

  2. Or to get the password in cleartext

    Image RemovedPS-LAPS-Password-PlainText-History.pngImage Added

    Get-LapsAdPassword -Identity <computername> -AsPlainText
    will return the current password in plain text.

  3. Or to get the password history in plain textImage Removed

    PS-LAPS-Password-PlainText-History.pngImage Added

    Get-LapsAdPassword -Identity <computername> -AsPlainText -IncludeHistory
    will return the password history in plain text

    The number of passwords in the password history depends on the LAPS policy applied and how many times the password has been changed by LAPS.

    Each password in the password history can have a different Authorized Decryptor, depending on what was specified in the policy when the password was encrypted and stored in AD.
    The AuthorizedDecryptor shows who can decrypt the password.
    The DecryptiomStatus shows whether the password was successfully decrypted for the user running the cmdlet.

    In this example, the user running the cmdlet can see the latest password as they are a member of the Authorized Dectryptors.  They cannot see the previous password as the Authorized Dectryptors for it is a different group that the user is not a member of.

...

Cmdlet

Description

Get-LapsAdPassword

Gets the escrowed password(s) from Windows Server Active Directory.










Review the Retrieving a LAPS Password section above for details and examples.

Invoke-LapsPolicyProcessing

Initiates the processing of the current LAPS policy, independent of the hourly processing cycle).

Reset-LapsPassword

Attempts to immediately change the managed account's password (whether or not it has expired).

...