Windows LAPS is a powerful, and now easy-to-set-up, local administrator password management solution that has great security benefits. Windows LAPS stores local administrator passwords for specific or all devices joined to your directory inside your directory (whether that be local or Azure Active Directory), these passwords will have a strict expiration and rotation time, which will aid to prevent takeover and lateral movement during attacks. This can drastically increase security in scenarios such as when working with remote helpdesk agents.
Windows LAPS is integrated directly into the latest operating systems, making it quick and easy for administrators to deploy across an organisation.
In this tutorial, I am going to show you how to deploy Windows LAPS to your Active Directory joined devices step by step.
What is Windows LAPS?
Windows LAPS is the successor to Microsofts older solution, Microsoft LAPS. LAPS stands for Local Administrator Password Solution and that is exactly what it does. Windows LAPS is a new Windows feature that enables you to manage a local administrator account password from the local Active Directory or Azure Active Directory.
LAPS can be used to backup and manage the local administrator account passwords in some different scenarios:
- Back up local admin passwords for devices joined to a local Active Directory, to local Active Directory.
- Back up local admin passwords for devices joined to Azure Active Directory, to Azure Active Directory.
- Backup DSRM passwords for Windows Server Domain Controllers to local Active Directory.
Need to knows!
Your Windows LAPS deployment settings are dependent on how your devices are managed! If your devices are only joined to the local Active Directory, then you only backup the passwords to the local Active Directory.
Likewise, if your devices are only joined to Azure Active Directory, then you can only backup your passwords to Azure Active Directory.
However, if your devices are hybrid joined to local Active Directory and Azure Active Directory, they can be backed up to either location, but not to both.
Requirements for Windows LAPS
To use the latest version of Windows LAPS that is built directly into your operating system, you must be running any of the following operating systems:
Client Operating Systems
- Windows 11 22H2 – April 11 2023 Update
Windows 11 21H2 – April 11 2023 Update
Windows 10 – April 11 2023 Update
Windows Server Operating System
- Windows Server 2022 – April 11 2023 Update
- Windows Server 2019 – April 11 2023 Update
There are no additional licensing requirements needed to use Windows LAPS.
How to Setup Windows LAPS Step by Step
1. Start by logging into your domain controller as a domain admin and opening PowerShell.
2. Once PowerShell is open run the following command to update the Active Directory schema.
Update-LapsAdSchema
You can either enter Y to manually review and approve each schema update, or enter A to automatically approve all updates.
The following attributes will be added to the schema once you run the update command:
- msLAPS-PasswordExpirationTime
- msLAPS-Password
- msLAPS-EncryptedPassword
- msLAPS-EncryptedPasswordHistory
- msLAPS-EncryptedDSRMPassword
- msLAPS-EncryptedDSRMPasswordHistory
You can verify that all updates were successful by re-running the command with the -verbose switch.
Update-LapsAdSchema -verbose
You can see from the output that the required attributes are now already present.
3. Next we need to ensure that the managed device we want to configure LAPS on has the correct permission to update its own password, which it does by updating the relevant msLAPS- attributes on the computer object. At this point, the attributes will show as blank:
Run the following command against the unique name of the highest level OU that contains your computers OU. For example, I will run this against my ourcloudnetwork OU which contains a sub-OU called Computers, which is run and the permissions on the top level OU are inherited down.
Set-LapsADComputerSelfPermission -Identity ourcloudnetwork
You can see that if I try to run this command against an OU name which is not unique the following error will occur:
Set-LapsADComputerSelfPermission : Found more than one result 2 for the ‘computers’ OU in AD
3. You now need to ensure the necessary users are able to read the LAPS password in Active Directory. Use the Set-LapsADReadPasswordPermission cmdlet to grant specific groups permission to read the LAPS passwords for the desired OU.
For example, below I am granting the Workstation Admins security group permission to read the LAPS passwords for computers within the ourcloudnetwork OU.
Set-LapsADReadPasswordPermission -Identity ourcloudnetwork `
-AllowedPrincipals "ourcloudnetwork\Workstation Admins"
There are some similar commands which you can also use to delegate permission in the same fashion, these are:
- Set-LapsADPasswordExpirationTime – Grants a specific group of users permission to update the LAPS password expiration time in AD
- Set-LapsADResetPasswordPermission – Grants a specific group of user permission to manually reset the LAPS password in AD.
You can use the Find-LapsADExetendedRights command to check the current permissions on a specific OU.
4. Now we can deploy the LAPS configuration to our target devices via local group policy. Start by creating a new GPO and linking it to your target computer’s OU.
5. Edit the policy and find the LAPS Settings located at Computer Configuration > Administrative Templates > System > LAPS. At a bare minimum, you need to enable the Configure password backup directory to back up the password to Active Directory.
You can see there are a couple of options, but without this setting enabled you are effectively disabling your LAPS policy.
6. You need to decide on the local account to be managed with LAPS. LAPS will not create the local admin account for you, you need to ensure it is present on the managed devices for LAPS to update its password, whether that be the built-in Administrator account (not recommended) or a custom user account (recommended).
There are many ways to create a new local user account and add it to the local Administrators group, although I will not cover specifics in this post, some options include:
- Group Policy Preferences
- Net Logon Script
- Group Policy Script
- Intune
- Manually
- Remote PowerShell script
- 3rd Party RMM Tools
7. Once you have decided which account to use, configure the Name of administrator account to manage setting.
The final two settings to configure are:
- Password settings
- Do not allow password expiration time longer than the required policy
The Password settings setting allows you to define the password complexity, password age and password length. The Do not allow password expiration time longer than the require policy setting ensures that if an administrator tried to set the password to expire longer than the define policy, it will not take affect. For example, if I set the password settings as the below, then if a user tries to set the password expiration at 5 days, it will default to 1 day.
8. You have now configured LAPS! Restart the end-user device, ensuring it is on the domain network and it will take effect.
How to retrieve LAPS password with the GUI
To retrieve the Windows LAPS password for a computer you can do so directly through Active Directory Users and Computers.
1. Open ADUC and double-click on the computer account you want to retrieve the password for.
2. Select the LAPS tab, then select Show password.
How to retrieve LAPS password with PowerShell
A simpler solution for some may be to use PowerShell to retrieve a computer’s LAPS password.
2. Run the following command and specify your target desktop name.
Get-LapsADPAssword %targetDesktop% -AsPlainText
Your output will look like the below:
Great article – thank you! I have installed and used LAPS in the past but had never set it up here. I followed the steps above and have run gpupdate, etc. But, my computer accounts are not setting the password value.
Nevermind. It took awhile but is now working…
So i was following your guide and got all the way to the part of creating a GPO and when i open my GPMC and drill down to SYSTEM, LAPS is not there
figured it out, this can be ignored. would like to see an update to this aticle however and show how to set this up in Endpoint Manage\Intune