LAPS in Windows 11: Password encryption and DSRM account management

• Author
• Recent Posts

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Latest posts by Wolfgang Sommergut (see all)

• Windows 11 taskbar: remove chat icon, customize search field with Group Policy - Tue, Oct 3 2023
• Allow non-admins to access Remote Desktop - Thu, Sep 28 2023
• Which WSUS products to select for Windows 11? - Tue, Sep 26 2023

LAPS sets the passwords for local admin accounts with randomly generated strings and renews them automatically at predefined intervals. Active Directory serves as backup storage; from there, authorized users can read the passwords.

Simpler implementation

The solution comprises several components that previously had to be downloaded and installed separately. The previous implementation, therefore, included the following steps (and still does in Windows 10):

• Complete installation of LAPS on the management PC
• Extending the AD schema to include the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes for computer objects
• Configuring the permissions for these attributes so that only authorized users can view the stored passwords
• Installation of the Group Policy client-side extension on all managed computers
• Creating a GPO with which the settings for password management are defined

Because Microsoft strongly recommends the use of LAPS to secure local admin accounts, it is about time that the company now simplifies the use of this feature.

Since Windows 11 Insider Preview Build 25145, LAPS has been part of the operating system. This means that some previously required tasks are no longer necessary:

• The Group Policy client-side extension no longer needs to be installed separately on every PC.
• The ADMX template is on board and does not have to be copied to the Central Store separately.
• The PowerShell module LAPS is automatically available on every Windows 11 PC.

Nevertheless, it is still necessary to do the work required to prepare Active Directory and configure the feature, which is done via PowerShell and group policies.

LAPS includes several new group policies increasing their total number from four to nine

However, the LAPS UI (admPwd.UI.exe) for fetching passwords from Active Directory is not available in Windows 11. This purpose is now exclusively served by the Get-LapsADPassword cmdlet.

In addition, admins must familiarize themselves with several new cmdlet names. These now contain Laps in the noun instead of AdmPwd. For example, Update-LapsADSchema is used to extend the AD schema; previously, it was called Update-AdmPwdADSchema.

Comparison of old and new PowerShell cmdlets for LAPS

Encrypt passwords in AD

One new feature is the option of encrypting passwords stored in AD. While these are basically protected by the permissions on the AD attributes provided for them, encryption adds an additional layer of security.

The Enable password encryption group policy setting requires the domain functional level to be at Windows Server 2016. If this condition is not met, LAPS will not simply store unencrypted passwords in AD; instead, it will store no passwords at all.

To decrypt passwords, you have to use the Configure authorized password decryptors setting to designate specific users or groups for this task.

Management of DSRM accounts

Another interesting new feature is that LAPS now allows you to manage the password of the DSRM account. This is authorized for Directory Service Restore Mode on each domain controller and acts as a "break-glass" administrator.

Its password is set when you promote a Windows server to a DC. In most environments, it is then changed rarely, or not at all. To avoid this, you can synchronize it with a selected account, but only by manually invoking ntdsutil.exe.

With LAPS support for the DSRM account, Microsoft eliminates a possible security vulnerability by generating a new password for this account at regular intervals. However, the Enable password backup for DSRM accounts setting requires encryption to be enabled for the stored passwords.

Additional new group policies

Configure size of encrypted password history: Specify how many previous passwords are kept in AD. Encryption must be enabled for this; this setting does not apply to passwords in plain text.

Password Settings: Define your own password policy for local admin accounts.

LAPS allows the configuration of your own password policy for local admin accounts

Post-authentication actions: Execute predefined actions with a certain delay ("grace period") after a successful login of a LAPS-managed account. These actions comprise resetting the corresponding password in combination with logging off the user or restarting the computer.

Possible actions after a managed local administrator has logged in

Configure password backup directory: Choose between a local Active Directory and Azure AD as the backup store. However, the latter is not yet generally available for this purpose. If you do not configure this setting, then LAPS will not back up the passwords to any directory.

Conclusion

The integration of LAPS into the operating system should lower the inhibition threshold for many admins to use this security add-on. It simplifies its usage and ensures that updates are always delivered with the OS.

The version of LAPS included in Windows 11 offers a number of interesting new features compared to the original version. This primarily affects DSRM accounts, the encryption of passwords, and the automatic execution of actions after a local admin has logged in.

We can only hope that Microsoft will offer the extended LAPS for Windows 10 in the near future.