The Microsoft Local Administrator Password Solution (LAPS) allows organizations to securely rotate the local Administrator passwords for their desktops, laptops, tablets, and servers. In this article, I’ll cover several of the most frequently asked questions I’ve received about LAPS.

Does the Microsoft Local Administrator Password Solution (LAPS) require an agent? I really don’t want to install yet another agent on my computers. (Special thanks to reader Mike for this question.)

No, LAPS does not require an agent. For LAPS to function on workstations and servers, a Group Policy Client Side Extension (CSE) will need to be installed. The Group Policy CSE is not an agent. Typically, an agent is a service that runs at system startup and continues to run in the background to provide telemetry or some other data back to a central system such as System Center Configuration Manager, Operations Manager, or an antivirus monitoring platform. The CSE only runs at Group Policy refresh cycles.

Local Administrator Password Solution Setup - Manual install of Group Policy CSE
Local Administrator Password Solution Setup - Manual install of Group Policy CSE

Can I use LAPS without installing the Active Directory schema changes?

No, you cannot use LAPS without installing the AD schema changes. The schema update adds the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes that LAPS requires.

Does LAPS require an additional infrastructure such as additional application servers or SQL?

No. LAPS requires two additions to your AD schema. LAPS also requires that an additional Group Policy Client Side Extension (CSE) be installed on all of the managed computers. You will not need to run an additional application server or SQL server to use LAPS.

Is storing the Administrator password in AD in plain text secure?

The ms-Mcs-AdmPwd attribute in AD is a confidential attribute protected by an Access Control List (ACL). Only users with permissions to view this attribute can view the password (that is, Domain Admins and anyone else they’ve delegated access to). Keeping the same local Administrator password across large groups of systems is a much bigger security risk.

If the passwords are stored in AD, can’t anyone with AD access view them?

No, only users with adequate permissions can view the stored passwords. You can use the Find-AdmPwdExtendedRights PowerShell cmdlet to view which groups and users can view the stored passwords. You can use the Set-AdmPwdReadPasswordPermission PowerShell cmdlet to give groups and/or users access to view the passwords.

Find-AdmPwdExtendedRights output example

Find-AdmPwdExtendedRights output example

Can I require two-factor authentication (2FA) to view the passwords LAPS has stored in AD?

Access to the ms-Mcs-AdmPwd attribute is controlled with a user’s regular AD credentials. You would need to implement 2FA for all user logons that have access to that data in AD. You won’t be able to require 2FA for just accessing that attribute without implementing some kind of custom solution.

What happens if an admin’s account is compromised? Wouldn’t the compromised account have access to the stored passwords?

If a user with adequate rights to view the ms-Mcs-AdmPwd attribute is compromised, that account could be used to pull all of the local Administrator passwords from your domain (or subset of computers if the user account can only view Administrator passwords for specific OUs in the domain). Typically, this kind of account would already have had enough rights to reset the password remotely on any of those computers or wreak other havoc with the delegated privileged access.

The upside of having LAPS in place is that you can now force a password reset on all systems that could have a compromised Admin password and then see in AD if they’ve updated.

Can LAPS manage the password of the local Administrator account and a custom local administrator account with a different name at the same time?

You can manage either the default Administrator account (including if the account has been renamed) or a secondary local Administrator account that you’ve created, but not both.

What happens if the computer loses its connection/trust with Active Directory? Will LAPS change the local Administrator password on the computer, but fail to update it in AD? If this happens, I won’t know the local Administrator password. (Special thanks to reader Ken D. for this question.)

The password that is stored in AD is the computer’s current password—even if the password should have expired. In this situation, the computer’s Group Policy Client Side Extension (running in the Local SYSTEM context) would be unable to check the expiration date stored in AD. When that happens, the password change process would stop. You would need to re-establish the computer’s AD trust before the local Administrator password changes again.

Can LAPS manage the local Administrator passwords on non–domain-joined machines?

No. Computers must be domain-joined to be managed by LAPS.

Can LAPS change the stored password for a service if it is using the local Administrator account?

No. LAPS will only update the local Administrator password. It will not update the service to use the new password.

Aren’t there more elaborate solutions that can do more than just randomize the local Administrator password? What if I need to rotate passwords for service accounts or do something more advanced?

Microsoft LAPS is designed to randomize passwords of the local Administrator (or a custom Administrator account) for domain-joined systems without the need to implement additional infrastructure. This gives organizations a way to randomize those local passwords to prevent large numbers of computers from being vulnerable to Pass-the-Hash attacks or from being compromised if that password becomes known. Yes, much more elaborate solutions exist if you’re willing to pay for them and take the effort to implement additional infrastructure.

What if my question isn’t listed here?
Feel free to ask your question in the comments section below!

avataravatar
148 Comments
  1. MingN 6 years ago

    Hi,

    We are using SCCM to deploy LAPS CSE to managed computers. Is it possible to push along in the same package of LAPS CSE deployment the creation of the new ExtensionDebugLevel REG_DWORD to enable additional logging?

    I am aware that the {D76B9641-3288-4f75-942D-087DE603E3EA} will only exist after the LAPS CSE has been installed on computers.

    How can I achieve that via SCCM?

    Cheers

    • Author

      Unfortunately, I don't use SCCM enough to know how to do that. You can create any Registry entry you want... you don't have to depend on the CSE to be installed for it to be on the system. If these are domain-joined systems, I'd probably use Group Policy Preferences. If you want to use SCCM, create a secondary package that runs a script to add the Registry entries and make it dependent on the LAPS CSE install.

    • asd 5 years ago

      You can create a batch file and deploy it using the reg add command with the correct details after the laps client has been installed

  2. MingN 6 years ago

    In an environment where there will be many management computer (each service desk personnel), then there is no need to install the GPO Editor templates option, is this correct?

    From my understanding GPO editor template tool only need to be installed once (on a management computer, not DC) to get the LAPs administration template files to be used in (copy-to) central store GPO.

    Other management computers only need to have FAT client UI & Powershell module installed. correct?

    Thanks

     

    • Author

      Correct... you only need the Group Policy ADMX files on computers that will edit the policy for LAPS. If your service desk personnel are going to need to view passwords and force updates/resets, yes... they'll need the client UI and PowerShell module installed.

  3. Thomas H. (Rank: )
    6 years ago

    Problem with LAPS I hope you can clarify.   The company I work has recently implemented LAPS. However I think there may have been unforeseen issues that weren't planned for.  We have a policy that if a pc hasn't communicated to a domain Control for 2 months it is scavenged and drops off the Domain.  We have users that work from home via VPN and for some reason they sometimes fall off the Domain.  I have found that if a PC falls of the domain we are unable to log in as Local Admin with LAPS and are left with no choice but to re-image.  I am not a system/domain admin but a desktop support tech who has to tell the user we can's recover their data.  So wanted to know if there is a solutions to resolve this situation.

    • Author

      My initial thought is that these PC's may not be communicating with Active Directory like they should be. I'd start there and make sure that they're communicating like they're supposed to be. 2 months seems really low to me... I work in Higher Ed and it is very normal for a computer to go longer than 2 months without connecting back in to campus. Your organization may want to ensure that the Active Directory Recycle Bin is enabled and the tombstoneLifetime is set to something longer than 60 days so you can recover those objects. It would be much easier than using something like DaRT to reset the password and then re-adding them to AD.

  4. Shawn 6 years ago

     
    Thomas – we have the same issue. Without restating, how does one recover a LAPS generated password or reset one on a client computer with a trust issue that no longer exists in AD anymore?
     
    We currently blank passwords on Win 7 boxes with old school 3 party disks and hack our way into Win 10 clients as well.  I saw your comment about DaRT and MDOP with Software Assurance, is this the way that MS wants us to manage the issue?
     

    • Author

      If you've got computers that are losing their trust with AD, you've got a bigger issue you need to solve. You shouldn't be needed to do an offline edit regularly to get back into the boxes. Have you investigated why you've got boxes losing their trust with AD? In 10 years, I can think of maybe two times it happened to me in my old environment.

  5. Roger Kagan 6 years ago

    I am doing some testing.

    What about using LAPS for the DSRM password?

    It seems to work so far.

     

  6. Bberies 6 years ago

    We have push out LAPS to most computers and majority of them seem to be good.

    However, there are some computers out there that also have the GPO CSE  installed and received the LAPS gpo with the relevant SELF permission set (same OU as the rest that are working), but they the two ms-Mcs-AdmPwd & ms-Mcs-AdmPwdExpiration are not showing in the computer object (in attributes editor).

    What could be the issue?

    thanks

  7. Bberies 6 years ago

    To add more info on my above question -

    After few reboot, the ms-Mcs-AdmPwdExpiration  is now showing up in attributes editor of the computer object.

    However, ms-Mcs-AdmPwd  still missing.

    Force a password change via LAPS UI. it said Password reset request was successful.

    the ms-Mcs-AdmPwd still missing.

    note: The Local Administrator Account password of this VM has been manually changed before LAPS was implemented.

    Please shed some lights.

     

  8. Usaid 6 years ago

    I implemented solution and the application can set/reset password for only machine, where I have installed both fat client and CSE both, but not working for other machine, on which I have installed only CSE, saying ms-Mcs-AdmPwd <not set>

  9. Jeremy 6 years ago

    I am currently running test on LAPS for the company i work for... Is there a way to rename and enable/ disable the Admin accounts from LAPS group policy? Like I said We are testing the software and DO NOT want to mess with the local group policies just the LAPS GP

    • Author

      I'm not sure I totally understand what you're trying to do.  When I originally tested LAPS, I created a new sub-OU with the computers I was testing with.  I linked the LAPS GPO there and it only impacted those test computers.  It still allowed them to get all the policy they would normally get.

  10. Red 5 years ago

    Hi,

    I'm in a corporate environment and we want to tesl LASP but all our PC have the built-in Administrator account disabled and every PC has local administrator account, with a different name for every PC.

    Is this somehow supported? Does LAPS recognize an account with administrative privilege with different name for every PC? And what about if a PC has two local administrative account ?

     

    Regards.

     

    Red.

    • Author

      Obfuscating the local Administrator account isn't really security.  Enumerating that username is fairly trivial.  You'll need to switch to the standard local Administrator account or start using a single custom username to use LAPS.

  11. Brent 5 years ago

    Hi,

    i have tested the LAPS in our testdomain. It is work perfect. Also change the password works correct. (After gpudate) but for machine behind a RODC i become a error "Could not get computer object from AD:Error 0x80070051" I have also set the FAS for RODC to replicate the attribute for  ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime

    Regards

    Brent

    • Author

      I haven't tested with a RODC, but LAPS is going to have to write data back to a DC.  If it can't do that, it can't update the stored password.

  12. Jeff 5 years ago

    Is there anyway to use powershell to run through all computers to see which, if any, LAPS ms-Mcs-AdmPwd didn't get put in as it should have through a GPO?

  13. Randy Smith 5 years ago

    I am having trouble finding an answer to this, as I am just starting the venture into using this application. Does the admin GUI need to run off of a DC? Or can I just use domain admin credentials somewhere to use the GUI on a domain workstation?

    • Andre 5 years ago

      @Randy Smith

      Had this same question. Short answer is No. LAPS doesn't need to be installed on a DC.

      You will need to install the FAT client and GP extensions on a computer. Then you will want to copy over the .admx and .adml group policy extensions into the correct sysvol and sysvol\en-us folders on your central share from whichever PC you do install it upon.

      https://social.technet.microsoft.com/Forums/office/en-US/bcfe5009-e416-47da-bdfb-d2f1fafd552a/laps-options-missing-from-gpm-editor?forum=winserverGP

      Otherwise you won't be able to configure the GPO.

      • Aaron 4 years ago

        hi, sorry , a bit late to the party but I’ve a follow up question to this. The install of the management software seems pretty redundant once in, is that correct? By this i mean, if the server that the management software was installed on suddenly died or we were in DR scenario where Site A with the management server was located, there would be no impact on being able to retrieve/set passwords?

        And all we would have to do was install the management software on another server if we wanted to make any changes to the GP template?

  14. Garrett Petschke 5 years ago

    I'm in the process of installing LAPS at the organization that I work for.  I have two questions...

    1. If you have a secondary custom local admin account, can you deploy a second GPO for LAPS to manage that?

    2. For PCs that are being managed, can the local admin account become locked when the LAPS generated password is entered incorrectly multiple times?  What are the steps to recover from this, if so?

    • Author

      No.  You can use local Administrator or a custom account, not both.
      It would depend on the policy you've set on the machine.  Recovery would be the same for any locked out account.

  15. Werner 5 years ago

    We are using LAPS for some time in our environment. We also have a lot of virtual servers and using snapshots from time to time for updating applications. I already faced a problem that the password was changed after the snapshot and that the password for the computer also changed. We wanted to go back to the snapshot. The result was a server that you can't logon anymore, because the computeraccount had a newer password (no trust anymore) and the local password was also newer. Is there a way to get the old local password?

    • Author

      Unless you're using a third-party application or writing something in PowerShell to regularly dump the passwords, nope.

  16. Tim 5 years ago

    What if the userer changes the local admin password himself?
    Is the password mirrored to AD or is the password overwritten from the one set in AD?

    Thank you!

    • Author

      Nope.  If a user with local Admin rights on the computer changes the password, you no longer know the local Administrator password on the system.

  17. sadiq 5 years ago

    After installing the LAPs, I got this problem. please help me to fix this problem.....Thanks

    User Name
    Administrator

    Client IP Address
    10.100.1.31

    Client Host Name
    10.100.1.31

    Domain Controller
    DOMAIN.john.com

    Logon Time
    Nov 18,2016 02:15:29 PM

    Event Type
    Failure

    Failure Reason
    Bad password

    Domain
    krbtgt/john.com

    Remarks
    Kerberos pre-authentication failed.

    Logon Service
    krbtgt/john.com

    SID
    %{S-1-5-21-2415345328-180167431-1577633172-500}

    Event Number
    4771

    Event Code
    16

     

    • Author

      This isn't terribly useful without context.  Is this on the client or the server?  What other steps have you performed?

  18. Gandhasree 5 years ago

    Hi,

     

    I have configured LAPS in my environment. After the configuration, LAPS UI is now showing the password

    Everything is properly configured

  19. CMAN 5 years ago

    kyle or anyone?

    what happens if the DC is down how can you read the passwords?

    • Author

      DC? Singular?  You can't read the passwords if the DC is down.  Why do you only have one DC?

  20. Ren 5 years ago

    Hello, i'm not sure if anyone encountered same issue am having. I've setup LAPS to our domain. Everything looks fine. I see the attribute with the password and security is also setup and delegated. However, if i use the password stored in attribute, the password does not seem to work. Please advise.

  21. Hi Ren,

    Have you tried setting a new expiration time through LAPS UI? Choosing a date in the past then restarting the client will force a new password to be set.

    I have noticed that a newly imaged machine (without removing the object from AD) will show the old password in LAPS but it won't work until I set a new one.

    • Ren 5 years ago

      Hello Andre,

      I appreciate your response. I've tried setting a new expiration choosing the date in the past, waited half day and run gpupdate, restarted the machine, checked to make sure gpo is applied but still the password in ADUC does not work. I've tried setting a new expiration and this time the date in the future but same thing.

      Please advise.

      Ren

  22. Ren,

    Strange... When you set the expiration to a date in the past, after restarting the client, did the password in ADUC/LAPS UI change? When you look at your group policy scope and filtering is the computer object subject to your LAPS policy?

    If you have another administrator account you can log in with you could open an elevated command prompt and run "gpresults /r". Verify under the Computer Settings > Applied Group Policy Objects section that you see your LAPS policy.

    It may be the case that the computer object is not in the correct OU or group.

    • Ren 5 years ago

      I agree, very strange. I searched everywhere if i missed something and i even reconfigured it again but same thing.

      -Yes the password shows in ADUC.

      -Yes the password changed after i set the expiration to past.

      -Yes the policy is applied after running gpresult /r.

      -Under security filtering, computer is added and made sure the "apply group policy" is checked on.

      -I enforced LAPS GPO.

      -LAPS is installed on the machine.

  23. Ren,

    Hmm, it seems like you're doing everything correctly.

    It may sound dumb but are you typing in the admin password? I prefer to use Remote Desktop, then copy/paste the password, as I find it difficult to distinguish between some of the characters.

    And the account you're trying to log into is the built in local administrator (assuming you didn't point LAPS at a different account) using ".\administrator" to prevent it from trying to use a domain account.

    Other than that I'm running out of ideas for you to try, sorry.

    • Ren 5 years ago

      Yes im typing the password and i did try copy and paste

      We are not using the builtin local admin. Could that be the issue? I see documents that you specify the local admin name on laps gpo and it should work.

      No worries. I appreciate your time.

      • Author

        Sounds like that is your problem.  If you're not using the local Administrator account, you have to specify the username of the account in the GPO.

        • Ren 5 years ago

          Hello Kyle, i did specify the the username of our local admin account but that didn't help.

  24. Ren 5 years ago

    Please Help!

    When i issued the command "Set-AdmPwdComputerSelfPermission -OrgUnit <OU where the Client Machines are Stored>"  

    I get below Error....

    PS C:\windows\system32> Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,OU=Managed,DC=domain,DC=ca"
    Set-AdmPwdComputerSelfPermission : The object does not exist.
    At line:1 char:1
    + Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,OU=Managed,DC=domain, ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Set-AdmPwdComputerSelfPermission], DirectoryOperationException
    + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.DelegateCom
    rSelfPermission

    • Author

      The error is right there: "The object does not exist."  Does that OU actually exist or is that actually a folder in your AD?

  25. ryan pietrow 5 years ago

    Hello im having an issue extending the schema, when i do the update-Admpwdadschema command this comes up:

    PS C:\Users\administrator.ICT> update-admpwdadschema
    update-admpwdadschema : An operation error occurred.
    At line:1 char:1
    + update-admpwdadschema
    + ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Update-AdmPwdADSchema], DirectoryOperationException
    + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.UpdateADSchema

    Ive ran as admin, checked user privileges and registered a dll, schmmgmt.dll, that a guy said might fix it.

    any ideas?

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account