Microsoft LAPS

Let’s dive into how Microsoft’s Local Administrator Password Solution (LAPS) works and how it interacts with Microsoft Active Directory (AD) Domain Group Policy. I’ll break this down into clear, digestible parts, focusing on the mechanics, interactions, and some critical considerations, while keeping the explanation straightforward and grounded in practical understanding.

What is Microsoft LAPS?

Microsoft LAPS is a security tool designed to manage local administrator account passwords on Windows devices that are joined to an Active Directory domain. Its primary goal is to enhance security by ensuring that local admin passwords are unique, complex, and regularly rotated across all managed devices. This mitigates the risk of lateral movement by attackers—if one device’s local admin password is compromised, the attacker can’t use it to access other devices because each password is different.

There are two versions to be aware of: the legacy Microsoft LAPS (released in 2015) and the newer Windows LAPS (introduced in 2023). The legacy version is now deprecated as of Windows 11 23H2, and Microsoft recommends transitioning to Windows LAPS, which is natively integrated into Windows 10, 11, and Server editions (2019 and later). Windows LAPS also offers additional features like password encryption and support for Microsoft Entra ID (formerly Azure AD). Since your query focuses on Active Directory, I’ll center the explanation on how LAPS (both versions, where relevant) operates in an AD environment.

How Microsoft LAPS Works

LAPS automates the management of local administrator passwords by generating random, unique passwords for each device and securely storing them in Active Directory. Here’s a step-by-step look at its core functionality:

1. Password Generation and Rotation:

• LAPS uses a client-side component (a Group Policy Client-Side Extension, or CSE, in legacy LAPS; native in Windows LAPS) that runs on each managed device.
• This component checks the password’s expiration status during Group Policy refresh cycles (typically every hour in Windows LAPS). If the password is expired or due for rotation (based on policy settings), the device generates a new random password.
• The password is created according to defined complexity, length, and age settings (e.g., 14 characters, including letters, numbers, and symbols, expiring every 30 days).

1. Password Storage in Active Directory:

• Once generated, the new password is sent to Active Directory and stored as a confidential attribute on the device’s computer object.
• In legacy LAPS, the attributes are ms-Mcs-AdmPwd (the password) and ms-Mcs-AdmPwdExpirationTime (expiration timestamp). Windows LAPS uses new attributes with the msLAPS- prefix, such as msLAPS-EncryptedPassword.
• These attributes are protected by Active Directory Access Control Lists (ACLs), ensuring only authorized users (like Domain Admins or delegated groups) can read them.

1. Password Retrieval:

• Authorized users can retrieve the password using tools like the Active Directory Users and Computers (ADUC) console (which shows a LAPS tab after schema extension), PowerShell cmdlets (e.g., Get-LapsADPassword in Windows LAPS), or legacy LAPS’s GUI tool.
• For example, an IT admin might need the password to log into a device locally if domain authentication fails (e.g., during a network outage).

1. Security Features:

• Windows LAPS introduces password encryption (optional, requires 2016 Domain Functional Level or higher), where the password is encrypted with AES-256 before being stored in AD. Only specified users or groups (e.g., via the ADPasswordEncryptionPrincipal setting) can decrypt it.
• It also supports password history (up to 12 previous passwords) and can manage Directory Services Repair Mode (DSRM) account passwords on domain controllers.

Interaction with Active Directory Domain Group Policy

Group Policy is the primary mechanism for deploying and managing LAPS settings across an AD domain. Here’s how LAPS integrates with Group Policy to enforce its functionality:

1. Policy Deployment:

• LAPS settings are configured via Group Policy Objects (GPOs) applied to Organizational Units (OUs) containing the computer objects you want to manage.
• For legacy LAPS, you need to install the LAPS client on devices and copy the AdmPwd.admx and AdmPwd.adml template files to your GPO central store. For Windows LAPS, the templates (LAPS.admx and LAPS.adml) are built into supported Windows versions, located under Computer Configuration > Policies > Administrative Templates > System > LAPS.
• Key settings include:
  • Enable Local Admin Password Management: Activates LAPS on the device.
  • BackupDirectory: Set to 2 to store passwords in AD (1 for Entra ID, not applicable here).
  • Password Settings: Defines complexity (e.g., 4 for letters, numbers, symbols), length (e.g., 14 characters), and age (e.g., 30 days).
  • AdministratorAccountName: Specifies the local admin account to manage (defaults to the built-in Administrator if not set).
  • ADPasswordEncryptionEnabled: Enables encryption (Windows LAPS only, requires 2016 DFL).
  • ADPasswordEncryptionPrincipal: Specifies who can decrypt encrypted passwords (defaults to Domain Admins).

1. Policy Processing:

• Devices process LAPS policies during Group Policy refresh cycles (every 90 minutes by default, or hourly for Windows LAPS). They also respond to GPO change notifications.
• If a policy change is detected (e.g., a new password length), the device applies the updated settings. You can force immediate processing with the Invoke-LapsPolicyProcessing PowerShell cmdlet.

1. Permission Management:

• LAPS requires specific AD permissions to function:
  • SELF Permission: Each computer must have permission to update its own password attributes in AD. This is set using PowerShell commands like Set-LapsADComputerSelfPermission -Identity "OU=Computers,DC=domain,DC=com".
  • Read Permissions: By default, only Domain Admins can read the password attributes. You can delegate access to other groups (e.g., IT admins) using Set-LapsADReadPasswordPermission.
• These permissions are typically configured before deploying the GPO to ensure devices can write to AD and authorized users can retrieve passwords.

1. Schema Extension:

• LAPS requires an AD schema extension to add the necessary attributes for storing passwords and expiration times. This is a one-time operation performed by a Schema Admin using PowerShell:
  • Legacy LAPS: Update-AdmPwdADSchema.
  • Windows LAPS: Update-LapsADSchema.
• Without this extension, LAPS cannot store passwords in AD, and the LAPS tab won’t appear in ADUC.

1. Event Logging and Monitoring:

• LAPS logs events in the Event Viewer under Applications and Services > Microsoft > Windows > LAPS. For example, event 10018 indicates a successful password update in AD.
• If issues arise (e.g., a device can’t update its password due to permissions), these logs help troubleshoot the problem.

Practical Example

Imagine you’re an IT admin in a company with 500 Windows 10 devices in an AD domain. You want to secure their local admin accounts using Windows LAPS:

• You extend the AD schema with Update-LapsADSchema and set permissions with Set-LapsADComputerSelfPermission on the OU containing your devices.
• You create a GPO named “LAPS Policy,” link it to the OU, and configure settings: enable LAPS, set password length to 14, complexity to 4, age to 30 days, and enable encryption with ADPasswordEncryptionPrincipal set to a group called “IT_Admins.”
• Devices in the OU process the GPO, generate new passwords, and store them in AD (encrypted). The msLAPS-EncryptedPassword attribute on each computer object holds the password.
• An IT admin in the “IT_Admins” group uses Get-LapsADPassword to retrieve a device’s password for troubleshooting, decrypting it with their credentials.

Critical Considerations

While LAPS is a powerful tool, it’s worth examining its implementation critically:

• Security Risks: In legacy LAPS, passwords are stored in clear text in AD (secured only by ACLs), which could be a vulnerability if AD permissions are misconfigured. Windows LAPS’s encryption feature mitigates this but requires a 2016 DFL, which might not be feasible for older environments.
• Domain Functional Level: Features like encryption and DSRM account management in Windows LAPS require at least Windows Server 2016 DFL. If your domain includes older domain controllers (e.g., 2012), you’ll face limitations.
• Permission Management: Misconfiguring permissions can lead to unauthorized access. For example, if you delegate read access to too many users, a compromised account could expose all passwords.
• Trust Relationship Issues: If a device loses its trust relationship with AD (e.g., due to a prolonged offline period), LAPS won’t update the password until the trust is restored. This ensures the AD-stored password remains valid but can cause delays in rotation.
• Migration Challenges: If transitioning from legacy LAPS to Windows LAPS, you must uninstall the legacy client, update GPOs, and extend the schema with new attributes. Both versions can’t manage the same account simultaneously, so you might need to create a new local admin account for Windows LAPS.

Why It Matters

LAPS addresses a critical security gap in Windows environments. Local admin accounts are often a weak point—many organizations use the same password across devices, making them easy targets for attackers. By automating password rotation and centralizing storage in AD, LAPS reduces this risk significantly. Its integration with Group Policy makes it scalable for large enterprises, ensuring consistent enforcement across thousands of devices.

However, it’s not a silver bullet. Proper configuration is crucial, and over-reliance on LAPS without other security measures (like least-privilege access or network segmentation) can leave gaps. Additionally, the move to Windows LAPS reflects Microsoft’s push toward modern identity management (e.g., Entra ID integration), which might not align with all organizations’ needs, especially those with on-premises-only setups.