top of page

Getting Started with the NEW Microsoft LAPS for Active Directory

The new Microsoft Local Administrator Password Solution (LAPS) is here and has lots of new features! LAPS can integrate with Microsoft Active Directory (and now Azure AD) to randomize, vault, and rotate strong local administrator passwords across each Windows device in an organization. Having unique local administrator passwords greatly improve endpoint security. Limiting malware or an attacker’s ability to move laterally from device to device. Which has been a CIS Baseline requirement for some time. Also, an adversary technique outlined by MITRE ATT&CK.

Microsoft recently released an update to their LAPS. Overhauling their previous 2015 version with many improvements such as:

  • Password encryption

  • Role-based access control to retrieve credentials

  • Native support within Windows 10/11

  • Windows Server 2019/2022

  • Azure AD integration

What’s New?

If you’re already using LAPS (Legacy) you’re aware of some challenges. Client-side deployments and patching, plaintext passwords, lack of password change history, and lack of Azure Active Directory support. Not to mention, the new version is built into Windows Desktop and Server Operating Systems with the April 11, 2023, Microsoft update.

  • On-Premises AD New Features

    • New GPOs for Management

    • Password Encryption via Data Protection API (DPAPI)

    • User/Group based permissions to rotated credentials

    • Password History

    • Support for DSRM account passwords on Domain Controllers

    • New PowerShell modules

    • LAPS Property tab within Active Directory Users and Computers

    • Automatic reset of passwords after-use

    • Dedicated Event Logs for auditing

    • Migration from Legacy LAPS using emulation mode

  • New Features (Azure AD) – Stay tuned for a follow-up blog showing integration

    • Store passwords in Azure

    • On-demand password rotation

    • Support for both Azure AD Joined and Hybrid-Joined devices

What do I need to get started?

If your devices are on-premises Active Directory joined, you can install LAPS. Just by installing the April 11th, 2023, Microsoft update. Extending your Active Directory Schema and deploying new GPO settings to your endpoints.


Reference the table below to help steer where you should store your passwords:

Join Type

Password Storage Location

Windows Server Active Directory

Windows Server Active Directory

Hybrid AD Joined

Either Windows Server Active Directory or Azure Active Directory (Choose One)

Azure AD Joined

Azure Active Directory

Azure Active Directory workplace-joined

Unsupported

  • Client Side Supported Operating Systems

    • Windows 10/11

    • Windows Server 2019/2022

  • Windows Active Directory

    • Domain Controllers 2019/2022 with April 2023 Update*

    • Windows Server 2016 Domain Functional Level**

  • Test Active Directory OU dedicated for Test Workstations

  • Security Group for Authorized Password Decryptors (i.e., The people you want to be able to view the encrypted passwords)

  • Local Administrator Account to Manage (e.g., local-laps-admin user account on your workstations)

*WS2016 DC’s do not support Windows LAPS **Required for Password Encryption Support


How do I get started?

Update all of your Domain Controllers and Test Workstations to April 2023 Microsoft Update.


Launch PowerShell as an Administrator on your Domain Controller, import the new modules, and extend your AD schema.

Review Active Directory Users & Computers Workstation Object Attribute Editor to confirm the new Attributes exist with the msLAPS- prefix.

I’m selecting a specific OU to test within, the following command will allow computers within a specific OU to update their credentials.

On your Domain Controller, create a new GPO and start building LAPS policy configuration.


NOTE: If you’re using a central store for Administrative Templates you may need to copy the LAPS.admx and LAPS.adml from C:\Windows\PolicyDefinitions to the C:\windows\sysvol\domain\policies\policydefinitions folder otherwise you will not see the LAPS policy configuration under Computer Configuration > Administrative Templates > System > LAPS.


Configure Size of Encrypted Password History. This is helpful if you need historical passwords. This is also helpful when you restore a VM snapshot and need to know the password from a specific point in time.

Enable password encryption. This is one of the new features!

Configure Authorized Password Decryptors. This allows you to restrict access to specific users/groups to retrieve credentials. This is also a new feature!

Name of Administrator Account to Manage. This configuration lets you choose the local administrator account you’d like to manage. Generally, these are built into a VM template or deployed via GPO. Enter the name of the local administrator account.

Configure Password Backup Directory. Since I can only choose one, and I’m in a Hybrid Joined Environment, I’ll keep my LAPS password stored in Windows Active Directory. I could choose Azure AD since I’m Hybrid Joined, but that'll be a future blog on integration with Azure Active Directory.

Password Settings: Select the complexity requirements you require.

Post-Authentication Actions. Why wait 30 days for an automated password change if an account has been used? Now you can reset the password at a set interval after it was used to log in locally.

Link your newly created GPO to the OU you defined earlier. Once the testing has been completed you can expand to include more OUs and link your GPO in more places.

Let’s test out password retrieval. First, I attempted with a user that was not part of the “decryptors” security group. In case you were wondering, you’ll see an error as seen below.

Afterwards, I tested with a user account that is part of the “decryptors” security group. As you can see, I can copy/show the LAPS Local Admin password.

Let’s test it out by signing in.

Success! I was able to login with my new password! That was pretty easy. We now have native integration with Operating Systems and increased security!

Conclusion

LAPS has been around for quite some time. There are still many environments that can benefit from it for increased security or compliance requirements. Hopefully, the latest release will gain even more traction and decrease the attack surface on Windows devices. As you can see, the new version is simple to configure and has many security benefits. If you already have LAPS (Legacy) configured and want to take advantage of the new features, I recommend you test out the new LAPS and start your migration today.


Still have questions or want to discuss your environment reach out to us at CDA. We’d love to discuss how we can help you with your business needs!


Comments


bottom of page