Get started with Windows LAPS and Windows Server Active Directory

Learn how to get started with Windows Local Administrator Password Solution (Windows LAPS) and Windows Server Active Directory. The article describes the basic procedures for using Windows LAPS to back up passwords to Windows Server Active Directory and how to retrieve them.

Domain functional level and domain controller OS version requirements

If your domain is configured below 2016 Domain Functional Level (DFL), you can't enable Windows LAPS password encryption period. Without password encryption, clients can only be configured to store passwords in clear-text (secured by Active Directory ACLs) and DCs can't be configured to manage their local DSRM account.

Once your domain reaches 2016 DFL, you can enable Windows LAPS password encryption. However if you're still running any WS2016 DCs, those WS2016 DCs don't support Windows LAPS and therefore can't use the DSRM account management feature.

It's fine to use supported operating systems older than WS2016 on your domain controllers as long as you're aware of these limitations.

The following table summarizes the various supported-or-not scenarios:

Domain details Clear-text password storage supported Encrypted password storage supported (for domain-joined clients) DSRM account management supported (for DCs)
Below 2016 DFL Yes No No
2016 DFL with one or more WS2016 DCs Yes Yes Yes but only for WS2019 and later DCs
2016 DFL with only WS2019 and later DCs Yes Yes Yes

Microsoft strongly recommends customer upgrade to the latest available operating system on clients, servers, and domain controllers in order to take advantage of latest features and security improvements.

Update the Windows Server Active Directory schema

The Windows Server Active Directory schema must be updated before using Windows LAPS. This action is performed by using the Update-LapsADSchema cmdlet. It's a one-time operation for the entire forest. The Update-LapsADSchema cmdlet can be run locally on a Windows Server 2022 or Windows Server 2019 domain controller updated with Windows LAPS, but can also be run on a non-domain-controller as long as it supports the Windows LAPS PowerShell module.

PS C:\> Update-LapsADSchema

Tip

Pass the -Verbose parameter to see detailed info on what the Update-LapsADSchema cmdlet (or any other cmdlet in the LAPS PowerShell module) is doing.

Grant the managed device password update permission

The managed device needs to be granted permission to update its password. This action is performed by setting inheritable permissions on the Organizational Unit (OU) the device is in. The Set-LapsADComputerSelfPermission is used for this purpose, for example:

PS C:\> Set-LapsADComputerSelfPermission -Identity NewLaps
Name    DistinguishedName
----    -----------------
NewLAPS OU=NewLAPS,DC=laps,DC=com

Tip

If you prefer to set the inheritable permissions on the root of the domain, this is possible by specifying the entire domain root using DN syntax. For example, specify 'DC=laps,DC=com' for the -Identity parameter.

Query Extended Rights permissions

Some users or groups might already be granted Extended Rights permission on the managed device's OU. This permission is problematic because it grants the ability to read confidential attributes (all of the Windows LAPS password attributes are marked as confidential). One way to check to see who is granted these permissions is by using the Find-LapsADExtendedRights cmdlet. For example:

PS C:\> Find-LapsADExtendedRights -Identity newlaps
ObjectDN                  ExtendedRightHolders
--------                  --------------------
OU=NewLAPS,DC=laps,DC=com {NT AUTHORITY\SYSTEM, LAPS\Domain Admins}

In the output in this example, only trusted entities (SYSTEM and Domain Admins) have the privilege. No other action is required.

Configure device policy

Complete a few steps to configure the device policy.

Choose a policy deployment mechanism

The first step is to choose how to apply policy on your devices.

Most environments use Windows LAPS Group Policy to deploy the required settings to their Windows Server Active Directory-domain-joined devices.

If your devices are also hybrid-joined to Microsoft Entra ID, you can deploy policy by using Microsoft Intune with the Windows LAPS configuration service provider (CSP).

Configure specific policies

At a minimum, you must configure the BackupDirectory setting to the value 2 (backup passwords to Windows Server Active Directory).

If you don't configure the AdministratorAccountName setting, Windows LAPS defaults to managing the default built-in local administrator account. This built-in account is automatically identified using its well-known relative identifier (RID) and should never be identified using its name. The name of the built-in local administrator account varies depending on the default locale of the device.

If you want to configure a custom local administrator account, you should configure the AdministratorAccountName setting with the name of that account.

Important

If you configure Windows LAPS to manage a custom local administrator account, you must ensure that the account is created. Windows LAPS doesn't create the account. We recommend that you use the RestrictedGroups CSP to create the account.

You can configure other settings, like PasswordLength, as needed for your organization.

When you don't configure a given setting, the default value is applied - be sure to understand those defaults. For example if you enable password encryption but don't configure the ADPasswordEncryptionPrincipal setting, the password is encrypted so that only Domain Admins can decrypt it. You can configure ADPasswordEncryptionPrincipal with a different setting if you want non-Domain Admins to be able to decrypt.

Update a password in Windows Server Active Directory

Windows LAPS processes the currently active policy on a periodic basis (every hour) and responds to Group Policy change notifications. It responds based on the policy and change notifications.

To verify that the password was successfully updated in Windows Server Active Directory, look in the event log for the 10018 event:

Screenshot of the event log that shows a successful Windows Server Active Directory password update event log message.

To avoid waiting after you apply the policy, you can run the Invoke-LapsPolicyProcessing PowerShell cmdlet.

Retrieve a password from Windows Server Active Directory

Use the Get-LapsADPassword cmdlet to retrieve passwords from Windows Server Active Directory. For example:

PS C:\> Get-LapsADPassword -Identity lapsAD2 -AsPlainText
ComputerName        : LAPSAD2
DistinguishedName   : CN=LAPSAD2,OU=NewLAPS,DC=laps,DC=com
Account             : Administrator
Password            : Zlh+lzC[0e0/VU
PasswordUpdateTime  : 7/1/2022 1:23:19 PM
ExpirationTimestamp : 7/31/2022 1:23:19 PM
Source              : EncryptedPassword
DecryptionStatus    : Success
AuthorizedDecryptor : LAPS\Domain Admins

This output result indicates that password encryption is enabled (see Source). Password encryption requires that your domain is configured for Windows Server 2016 Domain Functional Level or later.

Rotate the password

Windows LAPS reads the password expiration time from Windows Server Active Directory during each policy processing cycle. If the password is expired, a new password is generated and stored immediately.

In some situations (for example, after a security breach or for ad-hoc testing), you might want to rotate the password early. To manually force a password rotation, you can use the Reset-LapsPassword cmdlet.

You can use the Set-LapsADPasswordExpirationTime cmdlet to set the scheduled password expiration time as stored in Windows Server Active Directory. For example:

PS C:\> Set-LapsADPasswordExpirationTime -Identity lapsAD2
DistinguishedName                           Status
-----------------                           ------
CN=LAPSAD2,OU=NewLAPS,DC=laps,DC=com PasswordReset

The next time Windows LAPS wakes up to process the current policy, it sees the modified password expiration time and rotates the password. If you don't want to wait, you can run the Invoke-LapsPolicyProcessing cmdlet.

You can use the Reset-LapsPassword cmdlet to locally force an immediate rotation of the password.

Retrieving passwords during AD disaster recovery scenarios

Retrieval of Windows LAPS passwords (including DSRM passwords) normally requires that at least one Active Directory domain controller is available. Consider however a catastrophic scenario in which all the domain controllers in a domain are down. How do you recover passwords in that situation?

Active Directory management best-practices advise regularly saving regular backups of all domain controllers. Windows LAPS passwords stored in a mounted backup AD database can be queried using the Get-LapsADPassword PowerShell cmdlet by specifying the -Port parameter. The Get-LapsADPassword cmdlet was recently improved so that when the -Port and -RecoveryMode parameters are both specified, password recovery succeeds with no need to contact a domain controller. Further, Get-LapsADPassword now supports being run in this mode on a workgroup (non-domain-joined) machine.

Tip

The dsamain.exe utility is used to mount an AD backup media and query it over LDAP. Dsamain.exe is not installed by default so it has to be added. One way to do this is using the Enable-WindowsOptionalFeature cmdlet. On Windows Client machines you can run Enable-WindowsOptionalFeature -Online -FeatureName DirectoryServices-ADAM-Client. On a Windows Server machine you can run Enable-WindowsOptionalFeature -Online -FeatureName DirectoryServices-ADAM

The following example assumes that an AD backup database is locally mounted on port 50000:

PS C:\> Get-LapsADPassword -Identity lapsDC -AsPlainText -Port 50000 -RecoveryMode
ComputerName        : LAPSDC
DistinguishedName   : CN=LAPSDC,OU=Domain Controllers,DC=laps,DC=com
Account             : Administrator
Password            : ArrowheadArdentlyJustifyingKryptonVixen
PasswordUpdateTime  : 8/15/2024 10:31:51 AM
ExpirationTimestamp : 9/14/2024 10:31:51 AM
Source              : EncryptedDSRMPassword
DecryptionStatus    : Success
AuthorizedDecryptor : S-1-5-21-2127521184-1604012920-1887927527-35197

Important

When encrypted Windows LAPS passwords are retrieved from an AD backup database mounted on a workgroup machine, the AuthorizedDecryptor field will always be displayed in raw SID format since the workgroup machine is unable to translate that SID into a friendly name.

Important

The improved Get-LapsADPassword password retrieval capability is supported in Windows Insider build 27695 and later, for both client and server OS versions.

See also

Next steps