The Microsoft Local Administrator Password Solution (LAPS) allows organizations to securely rotate the local Administrator passwords for their desktops, laptops, tablets, and servers. In this article, I’ll cover several of the most frequently asked questions I’ve received about LAPS.

Does the Microsoft Local Administrator Password Solution (LAPS) require an agent? I really don’t want to install yet another agent on my computers. (Special thanks to reader Mike for this question.)

No, LAPS does not require an agent. For LAPS to function on workstations and servers, a Group Policy Client Side Extension (CSE) will need to be installed. The Group Policy CSE is not an agent. Typically, an agent is a service that runs at system startup and continues to run in the background to provide telemetry or some other data back to a central system such as System Center Configuration Manager, Operations Manager, or an antivirus monitoring platform. The CSE only runs at Group Policy refresh cycles.

Local Administrator Password Solution Setup - Manual install of Group Policy CSE
Local Administrator Password Solution Setup - Manual install of Group Policy CSE

Can I use LAPS without installing the Active Directory schema changes?

No, you cannot use LAPS without installing the AD schema changes. The schema update adds the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes that LAPS requires.

Does LAPS require an additional infrastructure such as additional application servers or SQL?

No. LAPS requires two additions to your AD schema. LAPS also requires that an additional Group Policy Client Side Extension (CSE) be installed on all of the managed computers. You will not need to run an additional application server or SQL server to use LAPS.

Is storing the Administrator password in AD in plain text secure?

The ms-Mcs-AdmPwd attribute in AD is a confidential attribute protected by an Access Control List (ACL). Only users with permissions to view this attribute can view the password (that is, Domain Admins and anyone else they’ve delegated access to). Keeping the same local Administrator password across large groups of systems is a much bigger security risk.

If the passwords are stored in AD, can’t anyone with AD access view them?

No, only users with adequate permissions can view the stored passwords. You can use the Find-AdmPwdExtendedRights PowerShell cmdlet to view which groups and users can view the stored passwords. You can use the Set-AdmPwdReadPasswordPermission PowerShell cmdlet to give groups and/or users access to view the passwords.

Find-AdmPwdExtendedRights output example

Find-AdmPwdExtendedRights output example

Can I require two-factor authentication (2FA) to view the passwords LAPS has stored in AD?

Access to the ms-Mcs-AdmPwd attribute is controlled with a user’s regular AD credentials. You would need to implement 2FA for all user logons that have access to that data in AD. You won’t be able to require 2FA for just accessing that attribute without implementing some kind of custom solution.

What happens if an admin’s account is compromised? Wouldn’t the compromised account have access to the stored passwords?

If a user with adequate rights to view the ms-Mcs-AdmPwd attribute is compromised, that account could be used to pull all of the local Administrator passwords from your domain (or subset of computers if the user account can only view Administrator passwords for specific OUs in the domain). Typically, this kind of account would already have had enough rights to reset the password remotely on any of those computers or wreak other havoc with the delegated privileged access.

The upside of having LAPS in place is that you can now force a password reset on all systems that could have a compromised Admin password and then see in AD if they’ve updated.

Can LAPS manage the password of the local Administrator account and a custom local administrator account with a different name at the same time?

You can manage either the default Administrator account (including if the account has been renamed) or a secondary local Administrator account that you’ve created, but not both.

What happens if the computer loses its connection/trust with Active Directory? Will LAPS change the local Administrator password on the computer, but fail to update it in AD? If this happens, I won’t know the local Administrator password. (Special thanks to reader Ken D. for this question.)

The password that is stored in AD is the computer’s current password—even if the password should have expired. In this situation, the computer’s Group Policy Client Side Extension (running in the Local SYSTEM context) would be unable to check the expiration date stored in AD. When that happens, the password change process would stop. You would need to re-establish the computer’s AD trust before the local Administrator password changes again.

Can LAPS manage the local Administrator passwords on non–domain-joined machines?

No. Computers must be domain-joined to be managed by LAPS.

Can LAPS change the stored password for a service if it is using the local Administrator account?

No. LAPS will only update the local Administrator password. It will not update the service to use the new password.

Aren’t there more elaborate solutions that can do more than just randomize the local Administrator password? What if I need to rotate passwords for service accounts or do something more advanced?

Microsoft LAPS is designed to randomize passwords of the local Administrator (or a custom Administrator account) for domain-joined systems without the need to implement additional infrastructure. This gives organizations a way to randomize those local passwords to prevent large numbers of computers from being vulnerable to Pass-the-Hash attacks or from being compromised if that password becomes known. Yes, much more elaborate solutions exist if you’re willing to pay for them and take the effort to implement additional infrastructure.

What if my question isn’t listed here?
Feel free to ask your question in the comments section below!

avataravatar
148 Comments
  1. Hector Hernandez 5 years ago

    Kyle;

    Does the admin account has to be enabled for LAPS to update the password?

  2. Santeno 5 years ago

    I have cases where password set to never expire. and the passwords not changed by LAPS. Can LAPS change the password while it is set to never expire? what is the solution if the password set to never expire? Thanks.

  3. Omar Al-Dweik 5 years ago

    Hello,

    i have small issue with LAPS as below...

    Our local admin user have check mark (Password Never Expired) LAPS not able to change Password unless unchecked Password never expired

    Please Help ?

  4. Thomas Scott 4 years ago

    Is anyone else having the problem as me. I have followed the guide and all commands completed without an error. But when I go into the properties of the OU I have set this on I can see that "SELF" has the following set to allowed:

    Read ms-Mcs-AdmPwd
    Write ms-Mcs-AdmPwd

    But the following set to deny:

    Read ms-Mcs-AdmPwdExpirationTime
    Write ms-Mcs-AdmPwdExpirationTime

    And the user (which is a domain admin) that I ran the Set-AdmPwdReadPasswordPermission and Set-AdmPwdResetPasswordPermission commands against has the following allowed:

    Read ms-Mcs-AdmPwdExpirationTime
    Write ms-Mcs-AdmPwdExpirationTime

    And the following denied:

    Read ms-Mcs-AdmPwd
    Write ms-Mcs-AdmPwd

    I have tried to re run the command which complete successfully and say they are delegated but the permissions don't change on the OU. I have also tried to manually update these permissions on the OU (for which I am the owner) but when I click apply the changes dont save.

    Very odd some help would be greatly appreciated.

    • Thomas Scott 4 years ago

      Sorry when I say they are denied I mean they do not have a check in them, for either allowed or denied. They are just blank.

  5. Dusty 4 years ago

    Note that LAPS does not provide a history of the administrator password.

    This will cause an issue when restoring a server to a time before the password stored in AD.

    Also, the restored server will not have a trust established with the domain.

    In this case, the only way to login is to use DaRT and reset the local admin password.

     

    • JamieT 4 years ago

      While I love LAPs there is some quirkiness to it. One major issue I have is once you remove from AD you have to make sure to reset the local admin password before restarting as you won't be able to look up the password. I am not sure if I overlooked something or not but it seems that once it is removed for AD you can not look up what the previous password was set to.

  6. VM 4 years ago

    Are there any updates to this LAPS product. Planning to implement in Server 2012 forest environment but will that change when we upgrade to Server 2016.

    I dont see many upgrades / updates. How often does this product get upgraded

    V

  7. Andy 4 years ago

    Ken,

    I will be getting with the admin who implemented LAPS tomorrow.

    We are joining new computers to the domain through WDS and MDT.

    The join happens before the administrator account logs in (which is handled by xml to designate the admin password for application installs/settings)

    So, will the PC be able login after the join and run the task sequences/install applications?

    And is this part of GPO applied before or when a domain user logs in?

    It there a way to delay the application of the random password for 12-24 hours?

    We keep the laptops/PCs locked up for at least 24 hours before deployment anyway, and MDT only takes about 1-2 hours depending on Windows updates/connection/application install times.

    Would be nice to be able to keep things automated after joining the domain.

    Any idea what would be the best solution here outside of manually joining the domain?

    Thanks

    Andy

  8. Andy 4 years ago

    Sorry, meant Kyle

  9. Hai Tran 4 years ago

    Hi Mr.Kyle,

    I had deployed LAPS since 2017 April. I worked perfectly.

    Recently, some couple weeks ago, LAPS didn't work properly. After investigated, I found that two attributes(ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime) didn't add on new computer which was joined in Domain. The old Computer has still worked normally.

    I think that It caused LAPS agent couldn't update password to Active Directory.

    Please help me on this case.

    Thanks,
    Hai Tran

  10. Adit Amar 4 years ago

    Please tell us whether is there any centralized management for LAPS, where we can find no of PC joined, unjoined etc. Is there any interface/mangement like WSUS???

  11. Adit Amar 4 years ago

    I mean to say No. of PC on which it has been installed and no of PCs on which it hasn't. Is there any centralized management or interface??

  12. Adit Amar 4 years ago

    Also, Please tell me Port Nos on which LAPS work.

  13. jomz 4 years ago

    I have duplicate OUs as there are different policies to be applied in the same department. How can i apply Set-AdmPwdComputerSelfPermission?

  14. kovendhan J 4 years ago

    I want to set the same password for all domain joined computers. is that possible with LAPS?

    • Jomz 4 years ago

      No. The MS LAPS is designed to use unique password in each computer.

  15. Hi,

    No you cannot set the same password, you can use a script and/or Group Policy to do it though.

    Regards,
    Jörgen

  16. Jimmy 4 years ago

    Hello, are there any resources available for help using PowerShell to manually set the "ms-Mcs-AdmPwdExpirationTime" attribute?  The use case is that we have servers in a DMZ where there are no writable domain controllers.  I am having some difficulty figuring out how to update this  attribute because the type is Integer8, or "ADsLargeInteger" which is a COM object.  I have found code to create the LargeInteger object, but when I try to write this to AD it only says "unspecified error".

  17. Manoj 4 years ago

    Hi All,

    is there any way to target all OU in one go to delegate the access to the computer "Set-AdmPwdComputerSelfPermission", does this command support if i run command against domain name.

    I want to enable LAPS across all OU,

  18. Grant 4 years ago

    We clone a domain controller to create a development environment but I don't want to have the LAPS passwords contained in the development environment.

    Is there any way to remove the LAPS passwords from AD so they won't exist there? The password field is not directly editable as I have tried doing something like below but that has no effect.

    get-adobject -filter * -Properties ms-mcs-admpwd | where { $_."ms-mcs-admpwd" } | % { $_.'ms-mcs-admpwd' = '' }

    Using the reset-admpwdpassword cmdlet only has the effect of resetting the timestamp without affecting the stored password.

    Is there any other way to sanitize the development environment from a copy of AD?

  19. kaushik Dey 4 years ago

    Hi,

    Can any one let me know what delegation I need to provide to a user so that he can set the password expiration time from LAPS console.

     

  20. Angie 4 years ago

    Hi,

    Does anyone understand exactly what the following GPO setting means?  Do not allow password expiration time longer than required by policy?

  21. Nilesh 4 years ago

    We have implemented the LAPS in our Organization. Some of the systems does gets Trust relationship errors and we need to remove them from AD and rejoin them. But, in this case we missed to take PWD and we now don't know how to deal with this issue. We are not able to login into Administrator  join the machine into domain.

    Does somebody face this issue? and how to deal with this?

  22. DLH (Rank: 1)
    4 years ago

    I am forwarding a question by our Infosec group. The local user account we are using for LAPS, User1, has a setting checked where the password never expires. Can this be unchecked? It is coming up on a report. I am trying to recall the specific settings.

    Thank you

  23. Manoj 4 years ago

    Is there a power shell command to get the LAPS managed passwords for multiple PC.

  24. ad 4 years ago

    Can we change when the password randomize duration and setting password yourself for servers ?

    What happens if the server looses trust in AD and cant connect to domain controllers? What password we going to use to login?

     

  25. Nick 4 years ago

    How can you completely remove LAPS if you decide you no longer want to use it?

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account