Active Directory, Local Administrator Password Solution

For OU Administrators: This page contains information about support for Microsoft's LAPS (Local Administrator Password Solution) in UOFI Active Directory.

Microsoft has released a tool called LAPS (Local Administrator Password Solution) for managing local administrator passwords on computers that are joined to the domain. This tool automates management of the local Administrator account password, including generating a complex password on a rotating basis, and storing that password in a protected attribute on the computer object in Active Directory. For more information, please view Microsoft's documentation on LAPS.

The graphical LAPS tool and PowerShell module can be downloaded here.

How to use LAPS

In order to use LAPS with computers in the UOFI domain, please send a request to adsupport@illinois.edu, including:

The name of the OU where you'd like to use LAPS
The name of a group that should be able to read the LAPS attributes on objects in your OU

On clients to be managed, LAPS is configured and applied using two parts:

GP CSE (Group Policy Client Side Extension) installed via the download link above.
Group policy configured and applied to those clients.

To manage LAPS, you use the same installation package from the download link above. It includes components for the PowerShell module and a management GUI.

Windows LAPS vs Legacy Microsoft LAPS

In 2023, Microsoft released Windows LAPS that is built in to more recent versions of Windows and Windows Server. Windows LAPS provides more benefits compared to the Legacy Microsoft LAPS.

However, we have not yet migrated our our Active Directory environment to use the new Windows LAPS. We are undergoing testing to make sure that the transition to the new LAPS product will go as smoothly as possible for IT Pros and their clients. Updates will be provided to OU admins and IT Pros as soon as we have them. We will provide information here for IT Pros to transition from Microsoft LAPS to Windows LAPS.

Differences between the two PowerShell modules can be found here.

LAPS GPO Settings

Legacy LAPS settings are available under Computer Configuration - Policies - Administrative Templates - LAPS.

Windows LAPS settings (not supported in our AD environment yet!) are available under Computer Configuration - Policies - Administrative Templates - System - LAPS.

Keywords	Active Directory, LAPS, Local Administrator, Group Policy, GPO Suggest keywords	Doc ID	66220
Owner	Active D.	Group	University of Illinois Technology Services
Created	2016-08-17 13:40:06	Updated	2024-04-02 18:09:43
Sites	University of Illinois Technology Services
Feedback	0 0 Comment Suggest a new document Subscribe to changes