Windows LAPS

Windows LAPS is a technology that automatically randomizes a local user account’s password and escrows the password on the computer object in Active Directory or, for Intune managed devices, on the device identity in Entra ID. All university-owned computers joined to the Wolftech domain, at or below the NCSU OU or enrolled in Intune are in scope to receive policy that configures Windows LAPS.

In our environment, the well-known local administrator account’s password is managed by LAPS. We do rename the account to wolftech.admin but a department may use their own group policy to change the name to something that’s a better fit.

Only departmental OU admins group, NCSU OU admins, and domain admins can read the LAPS password for the department’s computers.

Windows LAPS will automatically change the local user account’s password after 90 days unless the password has been used. Once used, the password will be changed in 12 hours.

Retrieving a LAPS password

If a departmental IT administrator needs to sign in to a computer with the local administrator account, they can retrieve the password using Active Directory Users and Computers (ADUC) or PowerShell.

Active Directory Users and Computers

Locate the computer object in your OU and double click it or right-click and select Properties. The LAPS tab should be visible whether or not the Advanced Features view is enabled.

PowerShell

Run the Get-LapsADPassword cmdlet.

Get-LapsADPassword -Identity <COMPUTERNAME> -AsPlainText

Legacy LAPS

We moved to Windows LAPS from what is now referred to as Legacy LAPS. Legacy LAPS required the installation of a client application where Windows LAPS is built in to Windows and does not require a client application. The Legacy LAPS attributes and password will remain on computer objects along with the most recent escrowed password. This is mostly to deal with cases where a computer has been offline for a while and departmental IT may need the Legacy LAPS password to sign in with the local administrator account because signing in with a domain account isn’t working.

Windows LAPS uses a different location in the registry for its settings than what Legacy LAPS uses. The attributes on the Active Directory computer object are also different.

Legacy LAPSWindows LAPS
Requires client applicationYesNo
Registry settings locationHKLM\Software\Policies\Microsoft Services\AdmPwdHKLM\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS
AD computer attributesms-Mcs-AdmPwd*msLAPS-*

The Legacy LAPS attributes and password will remain on the computer object in case a computer that has been offline for a while, and is unable to authenticate to the domain, can be signed in to.

Logging

The Windows LAPS event log is located at Microsoft-Windows-LAPS/Operational. Policy processing log entries should be added hourly.