The Local Administrator Password Solution (LAPS) prevents companies from using the same password for local admin accounts on all computers. Microsoft extends LAPS in Windows 11 to DSRM accounts on DCs, allows encryption of passwords, and provides its own password policies for LAPS.

LAPS sets the passwords for local admin accounts with randomly generated strings and renews them automatically at predefined intervals. Active Directory serves as backup storage; from there, authorized users can read the passwords.

Simpler implementation

The solution comprises several components that previously had to be downloaded and installed separately. The previous implementation, therefore, included the following steps (and still does in Windows 10):

  • Complete installation of LAPS on the management PC
  • Extending the AD schema to include the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes for computer objects
  • Configuring the permissions for these attributes so that only authorized users can view the stored passwords
  • Installation of the Group Policy client-side extension on all managed computers
  • Creating a GPO with which the settings for password management are defined

Because Microsoft strongly recommends the use of LAPS to secure local admin accounts, it is about time that the company now simplifies the use of this feature.

Since Windows 11 Insider Preview Build 25145, LAPS has been part of the operating system. This means that some previously required tasks are no longer necessary:

  • The Group Policy client-side extension no longer needs to be installed separately on every PC.
  • The ADMX template is on board and does not have to be copied to the Central Store separately.
  • The PowerShell module LAPS is automatically available on every Windows 11 PC.

Nevertheless, it is still necessary to do the work required to prepare Active Directory and configure the feature, which is done via PowerShell and group policies.

LAPS includes several new group policies increasing their total number from four to nine

LAPS includes several new group policies increasing their total number from four to nine

However, the LAPS UI (admPwd.UI.exe) for fetching passwords from Active Directory is not available in Windows 11. This purpose is now exclusively served by the Get-LapsADPassword cmdlet.

In addition, admins must familiarize themselves with several new cmdlet names. These now contain Laps in the noun instead of AdmPwd. For example, Update-LapsADSchema is used to extend the AD schema; previously, it was called Update-AdmPwdADSchema.

Comparison of old and new PowerShell cmdlets for LAPS

Comparison of old and new PowerShell cmdlets for LAPS

Encrypt passwords in AD

One new feature is the option of encrypting passwords stored in AD. While these are basically protected by the permissions on the AD attributes provided for them, encryption adds an additional layer of security.

The Enable password encryption group policy setting requires the domain functional level to be at Windows Server 2016. If this condition is not met, LAPS will not simply store unencrypted passwords in AD; instead, it will store no passwords at all.

To decrypt passwords, you have to use the Configure authorized password decryptors setting to designate specific users or groups for this task.

Management of DSRM accounts

Another interesting new feature is that LAPS now allows you to manage the password of the DSRM account. This is authorized for Directory Service Restore Mode on each domain controller and acts as a "break-glass" administrator.

Its password is set when you promote a Windows server to a DC. In most environments, it is then changed rarely, or not at all. To avoid this, you can synchronize it with a selected account, but only by manually invoking ntdsutil.exe.

With LAPS support for the DSRM account, Microsoft eliminates a possible security vulnerability by generating a new password for this account at regular intervals. However, the Enable password backup for DSRM accounts setting requires encryption to be enabled for the stored passwords.

Additional new group policies

Configure size of encrypted password history: Specify how many previous passwords are kept in AD. Encryption must be enabled for this; this setting does not apply to passwords in plain text.

Password Settings: Define your own password policy for local admin accounts.

LAPS allows the configuration of your own password policy for local admin accounts

LAPS allows the configuration of your own password policy for local admin accounts

Post-authentication actions: Execute predefined actions with a certain delay ("grace period") after a successful login of a LAPS-managed account. These actions comprise resetting the corresponding password in combination with logging off the user or restarting the computer.

Possible actions after a managed local administrator has logged in

Possible actions after a managed local administrator has logged in

Configure password backup directory: Choose between a local Active Directory and Azure AD as the backup store. However, the latter is not yet generally available for this purpose. If you do not configure this setting, then LAPS will not back up the passwords to any directory.

Conclusion

The integration of LAPS into the operating system should lower the inhibition threshold for many admins to use this security add-on. It simplifies its usage and ensures that updates are always delivered with the OS.

The version of LAPS included in Windows 11 offers a number of interesting new features compared to the original version. This primarily affects DSRM accounts, the encryption of passwords, and the automatic execution of actions after a local admin has logged in.

Subscribe to 4sysops newsletter!

We can only hope that Microsoft will offer the extended LAPS for Windows 10 in the near future.

avataravataravatar
7 Comments
  1. Peter Wisse 1 year ago

    We are using LAPS and facing the next issue.
    When we have to restore a machine from the backup before the moment the LAPS password has changed ,we cannot login with the local administrator account.
    Do you have a solution for this issue?

    • Author

      Well, you cannot blame LAPS for the password mismatch if you reset the machine to an old state. But LAPS in Windows 11 provides a password history, so you can also request previous passwords.

    • Fabian Riechsteiner 1 year ago

      As soon as the restored machine boots it will contact the domain and set a new password.

      If you only want some files use file level recovery.

      If you want the full machine but not connected to the network get the attribute from your AD backup (you backup your AD, right?) or boot from a DaRT CD and use Locksmith to set a new local admin PW.

      I can’t see any problem.

  2. fivesoul 1 year ago

    Same with me. LAPs is useless. More damage from curing…

  3. frank 11 months ago

    I had LAPS working on all our devices. However, recently I have swapped all devices for new Surface laptop 4 with Windows11 and now LAPS doesn’t work at all. Any ideas? DC is still Server2019, no changes in policies or whatsoever.

    • Peter 8 months ago

      My impression is that unless you configure the “BackuptoDirectory” value, Windows 11 will not backup its key to AD. However I cannot see how you can configure this GPO setting as the latest ADMX templates for Windows 11 do not contain the previous admpwd.admx. All very odd, unless its linked to the notification about LAPS extra stuff coming out in public preview in early 2023. Or unless you need to get the RSAT tools on Windows 11 client to expose this setting.
      Who knows…

      • Peter 8 months ago

        Ah – yeah it does look like the GPOs are only for Windows 11 insider build not production yet. Legacy LAPS still seems to work for Windows 11.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account