Share via

LAPS Encryption

Bonus12 1,116 Reputation points
2024-07-02T17:44:13.88+00:00

Hi,

When I enable this setting "Enable password encryption" for LAPS. I can only see the LAPS password in AD when I click show password under the LAPS Tab.

however, LAPS GUI or admin tool even PowerShell, doesn't show the password if encrypted.

How to enable viewing the encrypted password in LAPS admin tool?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,172 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,230 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,838 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. S.Sengupta 17,221 Reputation points MVP
    2024-07-03T00:22:17.1033333+00:00

    First, ensure you have the LAPS PowerShell module installed. If not, you may need to install it from the Microsoft Download Center or via PowerShell Gallery. The LAPS UI and admin tools typically rely on the permissions set in Active Directory to display the password.

    Open PowerShell as Admin and type the following command:

    Import-Module AdmPwd.PS

    Use the following cmdlet to view the encrypted password:

    Get-AdmPwdPassword -ComputerName "ComputerName"
    0 comments
  2. Yanhong Liu 4,970 Reputation points Microsoft Vendor
    2024-07-03T06:10:25.95+00:00

    Hello,

    Thank you for posting in Q&A forum.

    LAPS does not display encrypted passwords in the GUI or management tools by default for security reasons. Once password encryption is enabled, LAPS uses an algorithm to encrypt passwords stored in Active Directory, making them difficult to decrypt even if the AD database is compromised by an attacker.

    Viewing encrypted passwords in LAPS is usually strictly restricted to users with specific permissions. These permissions are managed through Active Directory's Access Control List (ACL) and are usually only granted to high-level administrator roles that need to manage or audit passwords.

    To view encrypted passwords, you need to have the following:

    User account with appropriate permissions: Make sure the account you are using has permissions to view passwords. This usually means having sufficient permissions in AD to read LAPS extended attributes.

    Using PowerShell commands: When using PowerShell scripts, make sure you are using the correct command to retrieve the password. For example, when using PowerShell, you can use the Get-AdmPwdPassword command to retrieve the password, but you need to make sure the AdmPwd.PS module is loaded and you have the correct permissions.

    Permission check: Check that your user account has been granted permissions to read the LAPS password on the target computer object. This can be done in the AD Users and Computers console by right-clicking the target computer, selecting Properties, and viewing the ACL in the Security tab.

    By default, LAPS does not display encrypted passwords directly in the GUI, as this increases the risk of password exposure.

    Please note that frequent or unnecessary display of passwords increases the risk of password exposure and should be avoided. In most cases, LAPS passwords should only be viewed when necessary for troubleshooting or emergencies.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.