Security: Getting to Know Windows LAPS for Active Directory - First Look (2023)

Security: Getting to Know Windows LAPS for Active Directory - First Look (1)

In October 2022, I published a blog post titledThe 10 most important details about the upcoming Windows LAPS solution, which revealed that Microsoft is developing a new LAPS solution calledWindows LAPS. This solution will address the long-awaited support for cloud-only devices. From April 11, 2023,Windows LAPS για Windows Server Active Directoryis now publicly available. Previously, Windows LAPS was only accessible via private preview. Unfortunately,Windows LAPS για Azure Active Directoryremains in private preview and is not open to new customers. However, theAzure Active Directory LAPS scriptit is expected to be publicly previewed in the second quarter of 2023. In this blog post, I will share my initial impressions of testing Windows LAPS withWindows Server Active Directory (on-premises)scenario.

  1. Supported platforms
  2. The advantages of Windows LAPS over Legacy Microsoft LAPS
    1. # Seamless integration
    2. # Encryption with password
    3. # More new features
  3. Windows LAPS for Windows Server Active Directory – Configuration
    1. Windows LAPS Requirements
    2. Prepare Windows LAPS ADMX templates
    3. Update the Windows Server Active Directory schema
    4. Give the managed device permission to update its password
    5. Windows LAPS License Grant
    6. Configure policy settings for Windows LAPS
  4. Windows LAPS for Windows Server Active Directory – Admin Experience
    1. Read Windows LAPS password
    2. Windows LAPS password rotation
    3. Get Windows LAPS password history
    4. Password backup for DSRM accounts
  5. conclusion

Supported platforms

When Microsoft first announced the new LAPS solution, it was not yet known which operating systems would be supported by Windows LAPS besides Windows 11. The supported platforms have now been definitively announced:

  • Windows 11 Pro, EDU and Enterprise
  • Windows 10 Pro, EDU and Enterprise
  • Windows Server 2022 και Windows Server Core 2022
  • Windows Server 2019

The Local Administrator Password Solution (LAPS) developed in 2015 will still be available and supported. Microsoft is now calling the previous solutionOld Microsoft LAPS.

The advantages of Windows LAPS over Legacy Microsoft LAPS

# Seamless integration

Without a doubt, the most important advantage of Windows LAPS is its seamless integration with Windows. This eliminates the need for any additional installation steps and therefore no longer requires the LAPS MSI package to be distributed.

# Encryption with password

One of the drawbacks of the previous version of LAPS was that passwords were stored in plain text in Active Directory. Although it was possible to restrict privileges to the LAPS password features, a vulnerability remained. With Windows LAPS it is now possible to encrypt passwords (AES-256). The only requirement is that the domain functional level is set to 2016.

# More new features

Windows LAPS also offers many new features. Full overview attached:

Windows LAPS for Azure Active Directory capabilitiesWindows LAPS για Windows Server Active Directory
Store passwords in Microsoft Azure (on an Azure device object)New Group Policy object and AD schema attributes
Cloud-based management experience
– Passwords retrieved via Microsoft Graph
– Configure settings via Microsoft Intune
– Change password on demand via Microsoft Intune
The account name is stored side by side with the password
Automatic password reset during use (customer driven)Automatic password reset during use (customer driven)
Support for password encryption (WS2016 DFL required)
Password history support for encrypted passwords
Support for managing DSRM account passwords on domain controllers
New PowerShell module
New LAPS property page in AD User & Computers snap-in

Windows LAPS for Windows Server Active Directory – Configuration

These are enough of the introductory remarks. It's time to evaluate Windows LAPS and its new features! 🙂 My test systems are each two Windows Server 2022 machines. 1x domain controller and 1x member server.

Windows LAPS Requirements

First of all, the Cumulative Update from April 11, 2023 (KB5025230) must be installed. This latest update integrates the Windows LAPS solution as a built-in Windows feature.

Be careful with this update if legacy LAPS is already in use:

The April 11, 2023 update has two potential regressions related to interoperability with legacy LAPS scripts. Read the following to understand the scenario parameters as well as the possible solutions.

(Video) Windows LAPS in 9 mins: Hackers DON’T watch this!

Issue #1: If you install legacy LAPS CSE on a device updated with the April 11, 2023 security update and a legacy LAPS policy applied, both Windows LAPS and legacy LAPS will enter a broken state where neither feature will not update the password for the managed account. Symptoms include Windows LAPS event log IDs 10031 and 10033, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue.

There are two main solutions to the above issue:

one. Uninstall legacy LAPS CSE (result: Windows LAPS will take over the managed account)

si.Disable legacy LAPS emulation mode(result: legacy LAPS will take over managed account)

Issue #2: If you apply a legacy LAPS policy to a device patched with the April 11, 2023 update, Windows LAPS will immediately enforce the legacy LAPS policy, which can be annoying (for example, if done against the operating system development workflow).Disable legacy LAPS emulation modeit can also be used to prevent these problems.

Prepare Windows LAPS ADMX templates

After successfully installing the April 2023 CU, the new LAPS ADMX/ADML templates are now available:

  • C:\Windows\PolicyDefinitions\LAPS.admx
  • C:\Windows\PolicyDefinitions\en-US\LAPS.adml
Security: Getting to Know Windows LAPS for Active Directory - First Look (2)

Now they only need to be copied to the Active Directory Central Store:


Update the Windows Server Active Directory schema

As with the previous LAPS version, we first need to extend the Active Directory schema with the following PowerShell cmdlet.


Schema update adds a set6new Windows LAPS Active Directory features:

(Video) Announcing Windows LAPS for Azure AD Joined Devices!

Security: Getting to Know Windows LAPS for Active Directory - First Look (3)

Give the managed device permission to update its password

Now we need to give our devices permission to write to their own (SELF) Windows LAPS password features. These permissions can be set using theSet-LapsADComputerSelfPermissionPowerShell cmdlets. This sets inheritable permissions for the desired organizational unit (OU) in which our devices reside.

Set-LapsADComputerSelfPermission -Identity "Your Active Directory Device OU"

The identity can be specified by the distinguished name as well as the simple OU name. If the specified OU name is not unique, the distinguished name must be used.

Security: Getting to Know Windows LAPS for Active Directory - First Look (4)
Security: Getting to Know Windows LAPS for Active Directory - First Look (5)
Security: Getting to Know Windows LAPS for Active Directory - First Look (6)

Windows LAPS License Grant

By default, only domain administrators and NT AUTHORITY\SYSTEM have read and write permissions to all ms-LAPS attributes. This can be checked throughFind-LapsADExtendedRightsPowerShell cmdlet.

Security: Getting to Know Windows LAPS for Active Directory - First Look (7)

To assign permissions for administrator groups, the following two PowerShell cmdlets can be used.

PowerShell cmdletDescriptionEmpty
Set-LapsADReadPasswordPermissionGrant read permission to the Windows LAPS password.msLAPS-EncryptedPassword (read)
msLAPS-EncryptedPasswordHistory (read)
msLAPS-Password (read)
msLAPS-PasswordExpirationTime (read)
Set-LapsADResetPasswordPermissionGrant permission to enable Windows LAPS password reset.msLAPS-PasswordExpirationTime (read and write)

To enable flexible rights management through global domain role groups, I have created two local domain security groups.

Permissions can then be assigned using the appropriate PowerShell cmdlets:

Set-LapsADReadPasswordPermission -Identity "Your Active Directory Device OU" -AllowedPrincipals "Your Active Directory Group"Set-LapsADResetPasswordPermission -Identity "Your Active Directory Device OU" -AllowedPrincipals "Your Active Directory"
Security: Getting to Know Windows LAPS for Active Directory - First Look (8)

Configure policy settings for Windows LAPS

In the last step, we configure the Windows LAPS group policy and link it to our device's OU: Computer Configuration > Administrative Templates > System > LAPS.

To enable Windows LAPS, you basically just need to configure itpassword backup directorycomposition:

(Video) Windows LAPS New features: Manage the Local Admin Account Passwords in Active Directory and Azure AD

Security: Getting to Know Windows LAPS for Active Directory - First Look (9)

The password is encrypted by default, since the functional level of the domain has already been upgraded to 2016. Since we want to test all the new features, we will of course enable several settings such asEnable password backup for DSRM accounts,Configure the size of the encrypted password historyandPassword settings.

Enable password backup for DSRM accountsUse this setting to enable Directory Service Repair (DSRM) account password backup on Windows Server Active Directory domain controllers.
Configure the size of the encrypted password historyUse this setting to configure how many previous encrypted passwords are remembered in Active Directory. Supported values ​​are 0-12.
Enable password encryptionUse this setting to enable password encryption in Active Directory. Enabling this setting requires that the Active Directory domain is running at domain functional level 2016 or later.
Configure authorized password decryptorsUse this setting to configure the name or security identifier (SID) of a user or group that can decrypt the password stored in Active Directory. This setting is ignored if the password is currently stored in Azure. If not specified, only members of the Domain Administrators group in the device domain can decrypt the password.
If specified, the specified user or group can decrypt the password stored in Active Directory.
Admin account name to manageDo not specify this setting unless you want to manage an account other than the built-in local administrator account. The local administrator account is automatically identified by its known relative identifier (RID). In case you prefer to use a different account, it is necessary to ensure that it is configured in advance on all clients, as Windows LAPS does not create the local administrator account for you.
Configure password backup directoryUse this setting to control to which directory the password is backed up for the managed account.
Do not allow the password to expire longer than requiredWhen you enable this setting, scheduled password expirations older than the password age dictated by the Password Settings policy are NOT allowed. When such expiration is detected, the password is changed immediately and the password expiration is set according to the policy.
Password settingsUse this setting to specify password settings such as PasswordAgeDays, PasswordLength, and PasswordComplexity.
Action after authentication (Auto reset password during use)Perform predefined actions (Reset password, reset password and log out of managed account, reset password and reboot device) with a certain delay (grace period) after successfully connecting a Windows LAPS managed device.

After the GPO reaches our devices, we can verify the status in the event logs:
Applications and Services>Registry>Microsoft>Windows>LAPS>Operation.

Windows LAPS for Windows Server Active Directory – Admin Experience

Read Windows LAPS password

In our first attempt we try to read the LAPS password via PowerShell and via dsa.msc with a user who is not a member of our specified delegation groups.

Get-LapsADPassword -Identity "Your Device" Get-LapsADPassword -Identity "Your Device" -AsPlainText

As expected, the Windows LAPS password cannot be read:

Security: Getting to Know Windows LAPS for Active Directory - First Look (10)

Now we add our test user to the read password assignment group and repeat the same test. Having done this, we can read several attributes and also see that the password was stored encrypted. However, we do not yet have permission to read/decrypt the password. By default, this is only possible for domain administrators.

Security: Getting to Know Windows LAPS for Active Directory - First Look (11)

To decrypt the password, we first need to add the agent group we created to the LAPS Group Policy. The following setting must be enabled and configuredConfigure authorized password decryptors. The group can be specified either as a SID or in the format domain\groupname. I was unable to add multiple password decryption groups. Therefore, you need to make sure that the Domain Administrators group is added to the Assign Read Password group, otherwise it will not be possible for domain administrators to decrypt the password.

Security: Getting to Know Windows LAPS for Active Directory - First Look (12)

Okay, time to retake the test.

Security: Getting to Know Windows LAPS for Active Directory - First Look (13)

Windows LAPS password rotation

Changing the password can be done either locally on the device viaReset-LapsPasswordor the Expiration Time can be adjusted viaSet-LapsADPasswordExpirationTime.

Now we try to do this first without the required permissions again.

(Video) Complete Guide to Local Administrator Password Solution LAPS

Local administrator rights are sufficient to run itReset-LapsPasswordPowerShell cmdlet and the user running it do not require special Active Directory permissions related to a particular LAPS feature.

Security: Getting to Know Windows LAPS for Active Directory - First Look (14)

A locally created admin user (non-domain user) can trigger a password change:

Security: Getting to Know Windows LAPS for Active Directory - First Look (15)

We are now trying to adjust the expiration time with our domain test user.

Set-LapsADPasswordExpirationTime -Identity "Your device"
Security: Getting to Know Windows LAPS for Active Directory - First Look (16)

As expected, this doesn't work because we don't yet have write access to the ExpirationTime attribute with our test user. So we add the test user to the ExpirationTime assignment group and repeat the test.

Security: Getting to Know Windows LAPS for Active Directory - First Look (17)

The next time Windows LAPS wakes up to process the current policy, it sees the modified password expiration time and rotates the password. If you don't want to wait, you can run itInvoke-LapsPolicyProcessingcmdlet.

Get Windows LAPS password history

The password history can be read through the sameGet-LapsADPasswordcmldet. Only the -Include historyparameter must be added.

Get-LapsADPassword -Identity "Your Device" -AsPlainText -IncludeHistory

Password backup for DSRM accounts

For this feature to work, Domain Functional Level 2016 is required and encryption must be active. Additionally, this password can only be read and decrypted by Domain Administrators. The arrangements were made insideConfigure authorized password decryptorsare ignored. In this scenario, this setting always defaults to the Domain Admins group of the domain controller's domain.

I just had to link the LAPS Group Policy to the domain controller OU.Set-LapsADComputerSelfPermissionit did not need to be run on the OU domain controller.

(Video) What is Microsoft (LAPS) Local Administrator Password Solution?

RunGet-LapsADPasswordwith domain admin rights:

Get-LapsADPassword -Identity "Your DC" -AsPlainText -IncludeHistory
Security: Getting to Know Windows LAPS for Active Directory - First Look (18)


The previous solution,Old Microsoft LAPS, it was already quite simple to set up and control. However, with the incorporation ofWindows LAPSin the operating system and the introduction of new PowerShell modules, implementation and management have become even simpler. Additionally, security has been enhanced through password encryption, password history tracking, automatic password reset during use, and DSRM account management. We can only hope that its implementationWindows LAPS για Azure Active Directoryit goes just as smoothly as the on-premises scenario and that we don't have to wait as long for the public release.


What are the security concerns with laps? ›

The first security risk lies with LAPS attribute delegation and permissions on the objects. Attackers can enumerate accounts on the compromised endpoints and misuse their permissions to view the LAPS passwords of local administrators.

What is the laps password in Active Directory? ›

The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

How do you secure laps? ›

How to Ensure LAPS is Secure
  1. PowerShell Permission Scripts. ...
  2. Remove All Extended Permissions. ...
  3. Locking Password Reset Permissions. ...
  4. Administrator Training and Awareness. ...
  5. Integrated Approach to Data Security.
Jun 6, 2022

Is laps still supported? ›

The Windows LAPS on-premises Active Directory scenarios are fully supported as of the above updates. Windows LAPS with Microsoft Entra (Azure AD) and Microsoft Intune support is now in public preview as of April 21st 2023.

What are three 3 security issues that every computer user should be aware of? ›

Viruses, worms, Trojans, and spam are ubiquitous, but they are just the tip of the iceberg. Other common information security threats include privilege escalation, spyware, adware, rootkits, botnets, and logic bombs.

What are the top 3 issues faced by security operations? ›

The three big issues are the following:
  • staff shortage.
  • skills shortage.
  • knowledge shortage.

How do I know if Windows laps is installed? ›

  1. # Identify if installed to Program Files. Get-ChildItem 'C:\Program Files\LAPS\CSE\Admpwd.dll' Get-ChildItem 'C:\Program Files (x86)\LAPS\CSE\Admpwd.dll' dir 'C:\Program Files\LAPS\CSE\' ...
  2. # Import module. Import-Module AdmPwd.PS. ​ ...
  3. # Gets all computers which have LAPS enabled. Get-LAPSComputers. ​

Does laps keep a password history? ›

Windows LAPS supports a password history feature for Windows Server Active Directory domain-joined clients and domain controllers. Password history is supported only when password encryption is enabled. Password history isn't supported if you store clear-text passwords in Windows Server Active Directory.

How do I know if laps is enabled? ›

Since LAPS requires the computer attributes to be present, we can check to see if LAPS is “installed” in Active Directory by checking for the presence of the LAPS attributes in AD. Here we use the Active Directory PowerShell module cmdlet Get-ADObject to check for the LAPS password attribute ms-mcs-admpwd.

How do I use laps in Active Directory? ›

How to Use Local Administrator Password Solution (LAPS) with Active Directory and Azure AD
  1. Choosing a policy deployment mechanism.
  2. Configuring specific policies.
  3. Updating a password in Azure Active Directory.
  4. Retrieve a password from Azure Active Directory. ...
  5. Retrieve the password from Azure AD.
  6. Rotate the password.
Nov 14, 2022

How do I set up laps step by step? ›

Setting up the LAPS GPO
  1. Open the Group Policy Management Console.
  2. Create a new Group Policy in your Computers OU.
  3. Right-Click the new Policy and select Edit.
  4. Navigate to : Computer Configuration > Polices > Administrative Templates > LAPS.
Feb 23, 2023

How do I manage Microsoft laps? ›

You can install the LAPS management features on the domain controller or another domain-joined computer (such as windows 10 or 11).
  1. Download the LAPS software from the link below. ...
  2. Double-click the file LAPS. ...
  3. Click “Next” on the setup wizard screen.
  4. Accept the license agreement and click “Next”.
  5. Install all features.
Apr 4, 2023

What is the purpose of laps? ›

What is Microsoft LAPS? Microsoft's "Local Administrator Password Solution" (LAPS) provides management of local administrator account passwords for domain-joined computers. Passwords are randomized and stored in Active Directory (AD), protected by ACLs, so only eligible users can read it or request its reset.

What is the Windows laps feature? ›

Windows LAPS is a Windows feature that allows you to automatically set and backup local administrator passwords of your domain-joined devices.

Does laps require an agent? ›

No, LAPS does not require an agent.

What is the biggest problem in computer security? ›

Top 10 Challenges of Cyber Security Faced in 2022
  • Ransomware attacks.
  • IoT attacks.
  • Cloud attacks.
  • Phishing attacks.
  • Blockchain and cryptocurrency attacks.
  • Software vulnerabilities.
  • Machine learning and AI attacks.
  • BYOD policies.

What are the 3 key components of security? ›

Confidentiality, integrity and availability together are considered the three most important concepts within information security. Considering these three principles together within the framework of the "triad" can help guide the development of security policies for organizations.

What is the most common factor in computer security issues? ›

Social engineering attacks (or phishing)

Most security breaches are due to social engineering — where criminals trick people into giving out confidential information, clicking on malicious links, or providing entry to secure systems.

What are the 5 functions found in every SOC? ›

These typically include:
  • Network monitoring and incident detection.
  • Incident management.
  • Problem management.
  • Endpoint administration.
  • Security system administration.
Aug 16, 2022

What is the laps attribute in Active Directory? ›

Locked-down AD attributes: LAPS stores passwords for each local administrator in the domain environment in the AD attribute called the 'ms-Mcs-AdmPwd. ' LAPS also needs to know when the passwords expire, so it stores the password expiry time in another AD attribute, called the 'ms-Mcs-AdmPwdExpirationTime.

Does laps create an admin account? ›

The "Administrator account name to manage" must exist on the computers in order for Laps to manage it. You will need to create this account on each machine if it doesn't already exist.

What are the security concerns of LTE? ›

Top cyber threats to private 5G/LTE networks
  • Denial of Service (DoS) ...
  • Mobile Network Mapping (MNmap) ...
  • Bidding Down (service degradation) ...
  • Battery Drain. ...
  • Mobile Identity Capture. ...
  • Malware Delivery. ...
  • Intercepting Communication. ...
  • DNS Spoofing.
Oct 27, 2020

What are the security issues in transport layer? ›

Main Security Issues
  • Fingerprinting.
  • Information Gathering (Scanning)
  • Interception.
  • Downgrade Attacks.
  • Cryptographic Attacks.
  • Data Spoofing.
  • Denial of Service (DoS)
  • Remote Code Execution (Protocol CVE)

Is laps encrypted? ›

One of the biggest complaints we've heard against LAPS in the past is that the managed passwords are stored as plain text in Active Directory. Although this is not an issue if you manage your permissions correctly, it is still a concern. To tackle this issue, Windows LAPS now supports encrypting the password in AD.


1. How to setup and deploy LAPS (Local Administrator Password Solution)
(Danny Moran)
2. Windows LAPS
3. Windows Intune LAPS + Azure Active Directory. Now Available and Easy Steps to Configure
(Praveen Balan)
4. Windows Security Goes Native with LAPS
(Petri IT Knowledgebase)
5. Learn how Windows LAPS works
6. Windows LAPS Management in Microsoft Intune
(Intune Support Team)
Top Articles
Latest Posts
Article information

Author: Twana Towne Ret

Last Updated: 06/16/2023

Views: 5757

Rating: 4.3 / 5 (64 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Twana Towne Ret

Birthday: 1994-03-19

Address: Apt. 990 97439 Corwin Motorway, Port Eliseoburgh, NM 99144-2618

Phone: +5958753152963

Job: National Specialist

Hobby: Kayaking, Photography, Skydiving, Embroidery, Leather crafting, Orienteering, Cooking

Introduction: My name is Twana Towne Ret, I am a famous, talented, joyous, perfect, powerful, inquisitive, lovely person who loves writing and wants to share my knowledge and understanding with you.