This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I wanted to implement LAPS in my organization but it stores passwords in plaintext and I have to comply with PCI DSS requirements such as "Req. 8.2.1: Make all authentication information unreadable using strong encryption during transmission and storage on all system components."
I need to confirm if this will no put my compliance at risk.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello @eC4ve ,
Thanks for posting here.
Microsoft Local Administrator Password Solution (LAPS) is a Microsoft tool that gives AD administrators the ability to manage the local account password of domain-joined computers and store them in AD.
Someone might be wondering whether the Administrator password storing in AD in plain text is secure.
The ms-Mcs-AdmPwd attribute in AD is a confidential attribute protected by an Access Control List (ACL). Only users with permissions to view this attribute can view the password (that is, Domain Admins and anyone else they’ve delegated access to). Keeping the same local Administrator password across large groups of systems is a much bigger security risk.
Best regards,
Hannah Xiong
Hello,
Hope you are doing well.
May I know how things are going on your end? Sorry that I am not professional with PCI DSS. As for the LAPS, the Administrator password is storing in AD in plain text. But only users with permissions can view the password.
For any question or concern, please feel free to let me know.
Best regards,
Hannah Xiong