/
Windows Local Administrator Password Solution (LAPS) Overview

Windows Local Administrator Password Solution (LAPS) Overview

[ 1 What is Windows LAPS? ] [ 2 Comparing Windows LAPS and Legacy LAPS ] [ 3 Prerequisites for Using Windows LAPS ] [ 4 Windows LAPS Policy Settings ] [ 5 Retrieving a LAPS Password from Active Directory ] [ 6 PowerShell Module ] [ 7 Windows Event Log ] [ 8 Splunk Dashboards ] [ 9 Frequently Asked Questions ]

What is Windows LAPS?

Windows LAPS (Local Administrator Password Solution) automatically manages a local administrator account's password: changing the password when it expires (using password length and complexity settings) and backing up the password to Active Directory so it is available for authorized users to retrieve.

Windows LAPS was made available with the April 2023 Cumulative Update for the following Operating Systems:

  • Windows 11 22H2

  • Windows 11 21H2

  • Windows 10 (those editions still supported by Microsoft)

  • Windows Server 2022

  • Windows Server 2019

Windows LAPS is not available for Windows Server 2016, but you can continue to use legacy LAPS with it.

Windows LAPS is a whole new solution for managing the local administrator password and is not just an update of the legacy LAPS solution that was originally released in 2015.  It includes much of the same functionality of legacy LAPS, and also includes several new features:

  • Supports encrypting passwords stored in AD

  • Can store password history in AD (for encrypted passwords only)

Windows LAPS became available in the Austin domain on the evening of Friday 23 June 2023.

For an overview of what is new in Windows LAPS starting with 24H2 Operating Systems, refer to What's New in Windows LAPS for 24H2 Operating Systems Share What's New in Windows LAPS for 24H2 Operating Systems

Comparing Windows LAPS and Legacy LAPS



Windows LAPS

Legacy LAPS



Windows LAPS

Legacy LAPS

Password-management bits

Included with the April 2023 Cumulative Update for Windows

The client-side extension must be installed on each computer.

Frequency of processing the LAPS policy cycle

This is hard-coded in Windows to 1 hour





















The Invoke-LapsPolicyProcessing PowerShell cmdlet can be used to trigger processing in addition to gpupdate /force.

Since this was a Group Policy Client-side extension, this was done at the same time as a group policy refresh.





















gpupdate /force will force the processing of Group Policy

Configuration options

Group Policy

Configuration Service Provider (such as Intune - but this option is currently not available at the University)

Group Policy

Group Policy settings location

Computer Configuration - Policies - Administrative Templates - System - LAPS

Computer Configuration - Policies - Administrative Templates - LAPS

Where is the password stored in AD

All Windows LAPS attributes are confidential attributes:

msLAPS-PasswordExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set 

msLAPS-Password: A clear-text string that contains the name of the managed account, the timestamp of the password update, and the current password 

msLAPS-EncryptedPassword: The encrypted current password

msLAPS-EncryptedPasswordHistory: Contains the encrypted previous passwords (it will store as many of the previous passwords as it is configured to, which allows for a maximum of 12)

msLAPS-EncryptedDSRMPassword: This setting only pertains to Domain Controllers. 

msLAPS-EncryptedDSRMPasswordHistory: This setting only pertains to Domain Controllers. 

ms-mcs-AdmPwd: This is a confidential attribute where the password is stored

ms-mcs-AdmPwdExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set

Is the password that is stored in Active Directory encrypted?

It depends on the LAPS policy in use when the password is saved in AD.

No, it is never encrypted

Where can the password be backed up to?

Windows Server (on-prem) Active Directory or Azure Active Directory.












(Note: Currently only Windows Server Active Directory is supported at the University.)

Windows Server Active Directory only.

Who can access the password in AD


If the password is not encrypted (msLAPS-Password) you must have access to the confidential attribute in AD.

If the password is encrypted (msLAPS-EncryptedPassword, msLAPS-EncryptedPasswordHistory) you must have access to the confidential attribute in AD AND be an authorized password decryptor (refer to the Windows LAPS Policy Settings section below).
Note that each encrypted password in the password history can/may have a different decryptor.

You must have access to the confidential attribute in AD.

Access to the confidential attribute is available with any of the following delegations:

  • Department (for both Windows and legacy LAPS)

  • Computer (for both Windows and legacy LAPS)

  • ComputerWindowsLAPS (specifically for Windows LAPS)

  • ComputerLAPS (specifically for Legacy LAPS)

Confluence Documentation | Web Privacy Policy | Web Accessibility