The new Microsoft Local Administrator Password Solution (LAPS) is here and has lots of new features! LAPS can integrate with Microsoft Active Directory (and now Azure AD) to randomize, vault, and rotate strong local administrator passwords across each Windows device in an organization. Having unique local administrator passwords greatly improve endpoint security. Limiting malware or an attacker’s ability to move laterally from device to device. Which has been a CIS Baseline requirement for some time. Also, an adversary technique outlined by MITRE ATT&CK.
Microsoft recently released an update to their LAPS. Overhauling their previous 2015 version with many improvements such as:
Role-based access control to retrieve credentials
Native support within Windows 10/11
Windows Server 2019/2022
Azure AD integration
If you’re already using LAPS (Legacy) you’re aware of some challenges. Client-side deployments and patching, plaintext passwords, lack of password change history, and lack of Azure Active Directory support. Not to mention, the new version is built into Windows Desktop and Server Operating Systems with the April 11, 2023, Microsoft update.
On-Premises AD New Features
New GPOs for Management
Password Encryption via Data Protection API (DPAPI)
User/Group based permissions to rotated credentials
Support for DSRM account passwords on Domain Controllers
New PowerShell modules
LAPS Property tab within Active Directory Users and Computers
Automatic reset of passwords after-use
Dedicated Event Logs for auditing
Migration from Legacy LAPS using emulation mode
New Features (Azure AD) – Stay tuned for a follow-up blog showing integration
Store passwords in Azure
On-demand password rotation
Support for both Azure AD Joined and Hybrid-Joined devices
What do I need to get started?
If your devices are on-premises Active Directory joined, you can install LAPS. Just by installing the April 11th, 2023, Microsoft update. Extending your Active Directory Schema and deploying new GPO settings to your endpoints.
Reference the table below to help steer where you should store your passwords:
Password Storage Location
Windows Server Active Directory
Windows Server Active Directory
Hybrid AD Joined
Either Windows Server Active Directory or Azure Active Directory (Choose One)
Azure AD Joined
Azure Active Directory
Azure Active Directory workplace-joined
Client Side Supported Operating Systems
Windows Server 2019/2022
Windows Active Directory
Domain Controllers 2019/2022 with April 2023 Update*
Windows Server 2016 Domain Functional Level**
Test Active Directory OU dedicated for Test Workstations
Security Group for Authorized Password Decryptors (i.e., The people you want to be able to view the encrypted passwords)
Local Administrator Account to Manage (e.g., local-laps-admin user account on your workstations)
*WS2016 DC’s do not support Windows LAPS **Required for Password Encryption Support
How do I get started?
Update all of your Domain Controllers and Test Workstations to April 2023 Microsoft Update.
Launch PowerShell as an Administrator on your Domain Controller, import the new modules, and extend your AD schema.
Review Active Directory Users & Computers Workstation Object Attribute Editor to confirm the new Attributes exist with the msLAPS- prefix.
I’m selecting a specific OU to test within, the following command will allow computers within a specific OU to update their credentials.
On your Domain Controller, create a new GPO and start building LAPS policy configuration.
NOTE: If you’re using a central store for Administrative Templates you may need to copy the LAPS.admx and LAPS.adml from C:\Windows\PolicyDefinitions to the C:\windows\sysvol\domain\policies\policydefinitions folder otherwise you will not see the LAPS policy configuration under Computer Configuration > Administrative Templates > System > LAPS.
Configure Size of Encrypted Password History. This is helpful if you need historical passwords. This is also helpful when you restore a VM snapshot and need to know the password from a specific point in time.
Enable password encryption. This is one of the new features!
Configure Authorized Password Decryptors. This allows you to restrict access to specific users/groups to retrieve credentials. This is also a new feature!
Name of Administrator Account to Manage. This configuration lets you choose the local administrator account you’d like to manage. Generally, these are built into a VM template or deployed via GPO. Enter the name of the local administrator account.
Configure Password Backup Directory. Since I can only choose one, and I’m in a Hybrid Joined Environment, I’ll keep my LAPS password stored in Windows Active Directory. I could choose Azure AD since I’m Hybrid Joined, but that'll be a future blog on integration with Azure Active Directory.
Password Settings: Select the complexity requirements you require.
Post-Authentication Actions. Why wait 30 days for an automated password change if an account has been used? Now you can reset the password at a set interval after it was used to log in locally.
Link your newly created GPO to the OU you defined earlier. Once the testing has been completed you can expand to include more OUs and link your GPO in more places.
Let’s test out password retrieval. First, I attempted with a user that was not part of the “decryptors” security group. In case you were wondering, you’ll see an error as seen below.
Afterwards, I tested with a user account that is part of the “decryptors” security group. As you can see, I can copy/show the LAPS Local Admin password.
Let’s test it out by signing in.
Success! I was able to login with my new password! That was pretty easy. We now have native integration with Operating Systems and increased security!
LAPS has been around for quite some time. There are still many environments that can benefit from it for increased security or compliance requirements. Hopefully, the latest release will gain even more traction and decrease the attack surface on Windows devices. As you can see, the new version is simple to configure and has many security benefits. If you already have LAPS (Legacy) configured and want to take advantage of the new features, I recommend you test out the new LAPS and start your migration today.
Still have questions or want to discuss your environment reach out to us at CDA. We’d love to discuss how we can help you with your business needs!