Active Directory, Local Administrator Password Solution

For OU Administrators: This page contains information about support for Microsoft's LAPS (Local Administrator Password Solution) in UOFI Active Directory.

What is LAPS?

An overview of LAPS can be found here. LAPS, or Local Administrator Password Solution is a Windows feature that automatically manages and backs up the password of a local administrator account. LAPS creates a complex and random password for each computer that it manages, and rotates it regularly. That password is in a protected attribute on the computer object in Active Directory, only retrievable by those authorized to do so.

Benefits of using LAPS

Protection against pass-the-hash and lateral-traversal attacks.
Improved security for remote help desk scenarios.
Ability to sign in to and recover devices that are otherwise inaccessible.
A fine-grained security model (access control lists and optional password encryption) for securing passwords that are stored in Active Directory.
Support for the Entra role-based access control model for securing passwords that are stored in Microsoft Entra ID (storing passwords in Entra ID is not supported yet).

Windows LAPS vs Legacy Microsoft LAPS

In 2023, Microsoft released Windows LAPS that is built in to more recent versions of Windows and Windows Server. Windows LAPS provides more benefits compared to the Legacy Microsoft LAPS. Microsoft has announced that the legacy Microsoft LAPS product is deprecated as of Windows 11 23H2 and later. Microsoft will continue to support the legacy Microsoft LAPS product on older versions of Windows (prior to Windows 11 23 H2) on which it was previously supported. That support will end upon the normal End of Support for those OSes.

Differences between the two PowerShell modules can be found here.

Units and IT Pros that are utilizing legacy Microsoft LAPS policies can easily switch to Windows LAPS policies to take advantage of the new security features and improved product servicing. We will provide guidance for this below.

Those new to LAPS are encouraged to use Windows LAPS.

Deployment Scenarios

Deploy Windows LAPS

Windows LAPS inherits many design concepts from legacy Microsoft LAPS. If you're familiar with legacy Microsoft LAPS, many Windows LAPS features are familiar. A key difference is that Windows LAPS is an entirely separate implementation that's native to Windows. Windows LAPS also adds many features that aren't available in legacy Microsoft LAPS.

Windows LAPS is built-in to the following OS platforms with the specified update or later installed:

Windows 11 22H2 - April 11 2023 Update
Windows 11 21H2 - April 11 2023 Update
Windows 10 - April 11 2023 Update
Windows Server 2022 - April 11 2023 Update
Windows Server 2019 - April 11 2023 Update

Get Started

If you are an OU admin and are on a device that has LAPS installed you should be able to run the PowerShell commands to allow you to use LAPS.

The full list of PowerShell commands can be found here, but these will get you started. With any of the LAPS PowerShell commands you can use the -Verbose flag to get detailed output.

Set-LapsADComputerSelfPermission -Identity <OU distinguished name>

This gives permissions to the computers in the specified OU to update their LAPS passwords in the directory.

Set-LapsADReadPasswordPermission -Identity <OU distinguished name> -AllowedPrincipals <Group or User name in UOFI\GroupName format or SID>

Configures security on an OU to grant specific users or groups permission to query LAPS passwords.

Set-LapsADResetPasswordPermission -Identity <OU distinguished name> -AllowedPrincipals <Group or User name in UOFI\GroupName format or SID>

Configures security on an OU to grant specific users or groups permission to set the LAPS password expiration time.

In order to use Windows LAPS with computers in the UOFI domain, please send a request to adsupport@illinois.edu, including:

The name of the OU where you'd like to use LAPS.
The name of a group that should be able to read and reset the LAPS passwords on objects in your OU.

This allows us to set permissions in Active Directory for the managed device to update its password and for the group to read and reset the LAPS passwords.

Important Note

Windows LAPS enables the capability for syncing local admin passwords to Entra ID. We do not support this capability at this time. We will update this article and send out communications once we have that in place.

How to use Windows LAPS

Since Windows LAPS is built-in to newer versions of Windows, both your client machines and your management machines do not need any additional software installed.

Once a Windows LAPS policy is applied to a client machine, it will immediately begin managing the local administrator password. When the password expires, the device generates a new, random password that's compliant with the current policy's length and complexity requirements.

Windows LAPS uses a background task that wakes up every hour to process the currently active policy. This task isn't implemented with a Windows Task Scheduler task and isn't configurable.

However, you can also manually start the policy processing cycle by forcing a group policy refresh (gpupdate /force) or by running Invoke-LapsPolicyProcessing (preferred because it's more scoped).

Viewing and Managing Passwords

You must be a member of the group you designated to read LAPS passwords when you reached out to us. Additionally, if you set up password encryption (see Windows LAPS GPO Settings below), you must be a member of the group designated to decrypt passwords.

AD Attributes. These will either be stored in plain text or encrypted, depending on policy and the attribute. You must be a member of the forementioned group(s) to read these LAPS attributes.
- The local admin password is stored in msLAPS-Password or msLAPS-EncryptedPassword.
- The expiration date is stored in msLAPS-PasswordExpirationTime.
- If encryption and password history are enabled, earlier passwords are stored in msLAPS-EncryptedPasswordHistory.
ADUC (Active Directory Users and Computers) can be used to view and manage passwords via the LAPS tab. More information here. This only displays the most recently stored password. In order to query older passwords (assuming you enabled password history), you must use the Get-LapsADPassword PowerShell cmdlet.
The LAPS PowerShell module gives you the most options for viewing and managing LAPS passwords. Information on the module can be found here. Some helpful commands include:
- To show the most recently stored password you can use Get-LapsADPassword -Identity <computername> -AsPlainText (link). You can optionally add -IncludeHistory to display past passwords.
- To update a computer's password expiration time, you can use Set-LapsADPasswordExpirationTime -Identity <computername> (link). If you do not specify a time, it will set the expiration time to the current time, which expires the password immediately. You can optionally add -WhenEffective (Get-Date -Date "MM/DD/YYYY HH:MM:SS") to specify a date.
- To reset the password from the client machine, you can use Reset-LapsPassword.

Windows LAPS GPO Settings

Legacy LAPS settings are available under Computer Configuration\Policies\Administrative Templates\System\LAPS. Settings available:

Configure password backup directory

This must be enabled, otherwise the LAPS password will not be backed up to or retrievable from Active Directory.

As previously mentioned, we do not support management of LAPS passwords in Entra ID (Azure Active Directory) at this time. Please make sure you choose Active Directory.

Password Settings

You can configure the password complexity, length, and age to suit your needs.

Default values

Complexity: Large letters small letters numbers special characters
Length: 14 characters
Age: 30 days

Name of administrator account to manage

If you have decided to manage a custom local admin account, you must specify its name here.

Note: DO NOT configure when you use the built-in admin account, even if you renamed it. That account is auto-detected by well-known SID. DO configure when you use a custom local admin account.

Do not allow password expiration time longer than required by policy

If you do not want to allow setting planning password expiration of admin account for longer time than maximum password age, you can do it by enabling this setting. The default setting is enabled.

Enable password encryption

When you enable setting the managed password is encrypted before being send to Active Directory. The default setting is enabled.

Configure authorized password decryptors

Configure this setting to configure the specific user or group who is authorized to decrypt encrypted passwords. Please note this is a separate setting from the one that the AD team configured for you to authorize a group of users to read your LAPS passwords (although you can designate the same group). The enable password encryption setting must be enabled for this to work. If this setting is disabled or not configured, encrypted passwords will be decryptable by only the Domain Admins group.

You need to specify either a SID in string format or the name of a group or user in "domain\(group or user)" format. The specified user or group must be resolvable by the managed device, otherwise passwords will not be backed up.

Configure size of encrypted password history

In order for this setting to work, password encryption must be enabled and passwords must be backed up to Active Directory. You can configure up to 12 previous passwords to be stored in Active Directory. If disabled or not configured, zero older passwords will be stored in Active Directory.

Post-authentication actions

This policy configures post-authentication actions which will be executed after detecting an authentication by the managed account.

Grace period: the amount of time (in hours) to wait after authentication to take the specified action. If this setting is set to zero, no post-authentication actions will be taken.
Actions: You can specify one of several actions to take:
- Reset admin password
- Reset admin password and log off of the account
- Reset admin password and reboot the device.

If the setting is disabled or not configured, the default actions will be to reset the admin password and logoff the managed admin account after 24 hours.

Transition from Microsoft LAPS to Windows LAPS

Migration scenarios from legacy LAPS to Windows LAPS on existing devices

Microsoft recommends migrating from legacy LAPS to Windows LAPS. This section describes procedures for accomplishing that migration on existing devices.

There are two basic approaches that can be used. The first approach is an immediate transition, while the second approach uses a period of side-by-side coexistence followed by a final transition.

The immediate transition is easier to implement. If you use the coexistence method as described, you will have to create a second local admin account to target with the Windows LAPS policy, and then remove the first account after transition is complete.

Immediate transition approach

You can immediately migrate from legacy LAPS to Windows LAPS on existing devices using the following steps:

Disable\remove the legacy LAPS policy
Create and apply a Windows LAPS policy
Monitor the managed device to confirm a successful transition
Remove the legacy LAPS software

The first two steps should be performed simultaneously (or as nearly so as possible).

The easiest approach when configuring the Windows LAPS policy is to target the same account that was previously targeted in the legacy LAPS policy. If you choose to target a different account, then it's your responsibility to create the new account prior to applying the Windows LAPS policy. The first account should be removed if no longer needed.

The Windows LAPS policy may also be configured with features (backup to Microsoft Entra ID, or enable AD password encryption) that weren't available in the legacy LAPS software.

When a Windows LAPS policy is first applied, the managed device performs an immediate rotation of the local account password. You should monitor the managed device to ensure the transition has completed successfully.

Once the transition has completed, the final step should be to remove the legacy LAPS software from the managed device (see below).

Coexistence (side-by-side) scenario with legacy LAPS

It's possible to use both Windows LAPS and legacy LAPS in a side-by-side scenario. For the side-by-side scenario to be successful, both policies MUST target different local accounts. Your long term goal however should be to migrate away from legacy LAPS to Windows LAPS.

Transient side-by-side coexistence approach

You may want to implement a more gradual migration procedure from legacy LAPS to Windows LAPS. The basic steps to perform this transition on existing devices are as follows:

Configure the managed device with a second local account
Create and apply a Windows LAPS policy
Monitor the managed device to confirm a successful application of the Windows LAPS policy
Disable\remove the legacy LAPS policy
Remove the legacy LAPS software
Remove the extra account

With this approach, it's necessary to create a second local account since it's not supported to have both a Windows LAPS policy and legacy LAPS policy targeting the same account.

After confirming that Windows LAPS is working properly, you may leave the managed device in this state for as long as needed before performing the rest of the migration steps.

Microsoft does not recommend having a legacy Microsoft LAPS policy and Windows LAPS policy target the same local admin account at the same time.

Removing the legacy LAPS software from a managed device

The specific steps required to remove the legacy LAPS software from the managed device depend on how that software was initially installed.

If you used MECM to deploy the LAPS CSE (client-side extension), you can remove and recreate your existing LAPS deployment/s with the 'Uninstall' action. Note that uninstall actions are treated as required, so be mindful of your maintenance windows and deadline behavior when configuring this deployment.

MECM-managed versions of LAPs (client and admin, x86 and x64) are located in the console, under '\Software Library\Overview\Application Management\Applications\MANAGED APPLICATIONS\Microsoft\LAPS\%'.

If you require assistance removing LAPS with MECM, please contact the EPS team via https://go.illinois.edu/epshelp.

Otherwise, if you installed via the MSI installer package, you can remove from Control Panel or automate this process with a silent MSI uninstall command run on the managed device: C:\>msiexec.exe /q /uninstall {97E2CA7B-B657-4FF7-A6DB-30ECC73E1E28}.

Microsoft has guidance for other scenarios here.

Monitoring a successful transition

There are multiple approaches to monitoring for a successful outcome once you have transitioned a managed device to a Windows LAPS policy:

You can monitor the managed device's Windows LAPS event log channel for successful password update events (for either Microsoft Entra ID or AD). A centralized event log collection solution may help here.
When storing passwords in Active Directory, you can look for the appearance of a new\updated msLAPS-PasswordExpirationTime attribute on the managed device's AD computer object. The Get-LapsADPassword PowerShell cmdlet can be used to automate this analysis.

Legacy Microsoft LAPS Emulation Mode

You can set up Windows Local Administrator Password Solution (Windows LAPS) to honor legacy Microsoft LAPS Group Policy settings, but with some restrictions and limitations. The feature is called legacy Microsoft LAPS emulation mode. You might use emulation mode if you migrate an existing deployment of legacy Microsoft LAPS to Windows LAPS.

A Microsoft article covering legacy Microsoft LAPS Emulation Mode can be found here.

When Windows LAPS runs in legacy Microsoft LAPS emulation mode, a 10023 event is logged to detail the current policy configuration (link).

Since Windows LAPS is always "on", as soon as a legacy LAPS policy is applied to the device - and assuming all legacy LAPS emulation mode criteria are met - Windows LAPS immediately begins to enforce the legacy policy. If this causes issues with your OS deployment workflow, you can disable legacy LAPS emulation mode at the beginning of the workflow, and enable it at the end.

Deploy Microsoft LAPS (Deprecated)

A note of caution before proceeding with Microsoft LAPS:

Microsoft has mentioned that "installation of the legacy Microsoft LAPS MSI package is blocked on newer OS versions, and Microsoft will no longer consider code changes for the legacy Microsoft LAPS product" (link).

Microsoft strongly recommends that customers begin planning now to migrate their Windows LAPS-capable systems from using legacy Microsoft LAPS over to the new Windows LAPS feature. Windows LAPS offers many new security features and improved product servicing.

IT Pros can continue to use and be on-boarded to Microsoft LAPS for now. Guidance for migrating to Windows LAPS can be found below.

Microsoft LAPS manages local administrator passwords on computers that are joined to the domain. This tool automates management of the local Administrator account password, including generating a complex password on a rotating basis, and storing that password in a protected attribute on the computer object in Active Directory. For more information, please view Microsoft's documentation on LAPS.

Limitations

The newer Windows LAPS offers the following benefits that are not available in Microsoft LAPS:

Built-in to newer versions of Windows and Windows Server, so no client side extension needs to be installed.
Password encryption when stored in on-prem AD.
Password history when encryption is enabled.
Ability to view and manage LAPS via the tab in ADUC (Active Directory Users and Computers).
Ability to back up passwords to Entra ID (not available yet).
Post-authentication actions, such as automatically rotating the local administrator account password if it detects that the local administrator account was used for authentication.

If you're using Microsoft LAPS and want to transition to using Windows LAPS, please see the section below.

Get Started

In order to use Microsoft LAPS with computers in the UOFI domain, please send a request to adsupport@illinois.edu, including:

The name of the OU where you'd like to use LAPS.
The name of a group that should be able to read the LAPS attributes on objects in your OU.

How to use Microsoft LAPS

The graphical LAPS tool and PowerShell module can be downloaded here.

On clients to be managed, LAPS is configured and applied using two parts:

GP CSE (Group Policy Client Side Extension) installed via the download link above or deployed via a solution such as Microsoft Endpoint Configuration Manager (MECM) .
Group policy configured and applied to those clients.

To manage LAPS, you use the same installation package from the download link above. It includes components for the PowerShell module and a management GUI.

Viewing and Managing Passwords

You must be a member of the group you designated to read LAPS passwords when you reached out to us.

AD Attributes. These are in plain text, although you must be a member of the forementioned group to read these LAPS attributes.
- The local admin password is stored in ms-Mcs-AdmPwd.
- The expiration date is stored in ms-Mcs-AdmPwdExpirationTime.
If you have the LAPS UI installed (download here), you can use that to retreive and manage the local admin password.
If you have the LAPS PowerShell module installed (download here), you can use Get-AdmPwdPassword -ComputerName <computername> to view and Reset-AdmPwdPassword -ComputerName <computername> -WhenEffective <date time> to reset.

Microsoft LAPS GPO Settings

Legacy LAPS settings are available under Computer Configuration\Policies\Administrative Templates\LAPS. Settings available:

Enable local admin password management

This must be enabled so the client-side extension can start managing the local admin password.