Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Windows Local Administrator Password Solution (Windows LAPS) includes the LAPS PowerShell module. Learn about its cmdlets, features, and how they compare to legacy Microsoft LAPS cmdlets to help you manage passwords securely.
Cmdlet descriptions and usage
The following table describes the cmdlets that are available in the LAPS PowerShell module:
| Name | Description |
|---|---|
Get-LapsAADPassword |
Query Microsoft Entra ID for Windows LAPS passwords. |
Get-LapsDiagnostics |
Collect diagnostic information for investigating issues. |
Find-LapsADExtendedRights |
Discover which identities have been granted permissions for an Organizational Unit (OU) in Windows Server Active Directory. |
Get-LapsADPassword |
Query Windows Server Active Directory for Windows LAPS passwords. |
Invoke-LapsPolicyProcessing |
Initiate a policy processing cycle. |
Reset-LapsPassword |
Initiate an immediate password rotation. Use when backing up the password to either Microsoft Entra ID or Windows Server Active Directory. |
Set-LapsADAuditing |
Configure Windows LAPS-related auditing on OUs in Windows Server Active Directory. |
Set-LapsADComputerSelfPermission |
Configure an OU in Windows Server Active Directory to allow computer objects to update their Windows LAPS passwords. |
Set-LapsADPasswordExpirationTime |
Update a computer's Windows LAPS password expiration time in Windows Server Active Directory. |
Set-LapsADReadPasswordPermission |
Grant permission to read the Windows LAPS password information in Windows Server Active Directory. |
Set-LapsADResetPasswordPermission |
Grant permission to update the Windows LAPS password expiration time in Windows Server Active Directory. |
Update-LapsADSchema |
Extend the Windows Server Active Directory schema with the Windows LAPS schema attributes. |
Tip
The
Invoke-LapsPolicyProcessingandReset-LapsPasswordcmdlets aren't affected by whether the password currently is backed up to Microsoft Entra ID or Windows Server Active Directory. In this scenario, both options are supported.All cmdlets in the Windows LAPS PowerShell module support detailed logging when you use the
-Verboseparameter.
For more detailed information on each cmdlet, see LAPS PowerShell Module.
Comparing Windows LAPS and legacy Microsoft LAPS PowerShell
Legacy Microsoft LAPS includes a PowerShell module named AdmPwd.PS. The two modules have many functional similarities, but they also have many differences. This table provides a mapping between the two modules:
| Windows LAPS cmdlet | Legacy Microsoft LAPS cmdlet |
|---|---|
Get-LapsAADPassword |
Not applicable |
Get-LapsDiagnostics |
Not applicable |
Find-LapsADExtendedRights |
Find-AdmPwdExtendedRights |
Get-LapsADPassword |
Get-AdmPwdPassword |
Invoke-LapsPolicyProcessing |
Not applicable |
Reset-LapsPassword |
Not applicable |
Set-LapsADAuditing |
Set-AdmPwdAuditing |
Set-LapsADComputerSelfPermission |
Set-AdmPwdComputerSelfPermission |
Set-LapsADPasswordExpirationTime |
Reset-AdmPwdPassword |
Set-LapsADReadPasswordPermission |
Set-AdmPwdReadPasswordPermission |
Set-LapsADResetPasswordPermission |
Set-AdmPwdResetPasswordPermission |
Update-LapsADSchema |
Update-AdmPwdADSchema |
In addition to naming-related changes, the Windows LAPS PowerShell cmdlets for Windows Server Active Directory operate over an entirely different set of schema extensions. For more information, see Windows LAPS schema extensions reference.