Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v3.0
v3.0
  • Home
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • What's new in Access Manager v3
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Upgrading from Access Manager v2
      • Considerations for migrating from Access Manager v2
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
    • Installing the Access Manager Agent
      • Enabling agent support on the AMS server
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Microsoft Entra ID
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up RapidLAPS
      • LAPS
        • Setting up Microsoft LAPS for Active Directory
        • Setting up Microsoft LAPS for Entra
        • Setting up Lithnet LAPS
      • Just-in-time Authentication (JIT)
        • Setting up JIT for computers
        • Setting up JIT for roles
      • Setting up BitLocker access
        • Setting up access to BitLocker keys stored in Active Directory
        • Setting up BitLocker recovery key backup and access using the Access Manager Agent
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Microsoft Entra
      • Getting started with RapidLAPS
    • Product lifecycle
    • Choosing between the Lithnet and Microsoft agent for LAPS
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
      • KB000009: Access Manager may return an out-of-date LAPS password, or no password at all
      • KB000010: The Access Manager agents fail to register on macOS 15 (Sequoia)
      • KB000011: Users report delays in obtaining just-in-time access via AD
      • KB000012: Troubleshooting Windows authentication in the Access Manager Web App
      • KB000013: Access Manager cannot be installed on Windows Server 2016 with TLS 1.0 disabled
    • Advanced help topics
      • Creating an Entra app registration or Access Manager
      • Setting up agent policies
      • Managing word lists
      • Password history retention
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
      • Group policy configuration
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Add-AmsIdpClaimMapping
      • Clear-AmsIdpClaimMapping
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsActiveDirectoryJitGroupCreationRule
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsFveRecoveryKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsIdpClaimMapping
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • Get-AmsServiceConfig
      • New-AmsActiveDirectoryJitGroupCreationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsActiveDirectoryJitGroupCreationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitGroupCreationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
      • Set-AmsServiceConfig
    • Application help pages
      • Host configuration page
      • App Configuration
        • AMS License configuration page
        • Authentication configuration page
        • Email configuration page
        • Rate limit configuration page
        • IP Address detection configuration page
        • User interface configuration page
        • Auditing page
        • Security page
        • Database configuration page
      • Access Manager Agent
        • Access Manager Agent - Agent registration page
        • Agent Policies
          • Access Manager Agent - Windows polices page
          • Access Manager Agent - macOS polices page
          • Access Manager Agent - Linux polices page
          • Access Manager Agent - Legacy AMSv2 policies page
        • Access Manager Agent - Password settings page
        • Access Manager Agent - Devices page
        • Access Manager Agent - Groups page
      • Directory Configuration
        • Active Directory configuration page
          • Microsoft LAPS configuration page
          • Lithnet LAPS configuration page (Active Directory)
          • Just-in-time access configuration page
          • BitLocker configuration page
        • Microsoft Entra configuration page
      • Authorization Rules
        • Computer authorization rules page
        • Role authorization rules page
      • Effective access page
    • Getting Support
Powered by GitBook
On this page
  • Enterprise Edition
  • Community Edition
  • Feature comparison
  • Web app features
  • Lithnet Access Manager Agent features
  • Just-in-time access features
  • BitLocker features
  • Authentication features
  • Auditing features
  • Infrastructure
  • Authorization features
  • Configuration management features
  • Support

Was this helpful?

Access Manager Editions

PreviousHow does Lithnet Access Manager help prevent lateral movement?NextLicensing

Last updated 9 months ago

Was this helpful?

Access Manager comes in two product editions. A free community edition, that provides key protections from lateral movement-based attacks, and enterprise edition, which allows organizations to take full advantage of the security and usability enhancements provided by the Access Manager solution.

Enterprise Edition

Enterprise edition unlocks the full potential of Access Manager. From fully customizing the user experience, to providing advanced authorization and auditing integrations it's the ultimate solution for organizations who want the best protections against lateral movement, and the best user experiences for support staff.

Enterprise edition customers can deploy the Access Manager agent to their Windows, macOS and Linux devices and move away from difficult to use passwords, to easy to remember passphrases.

On Windows, our RapidLAPS feature means your support staff will never have to touch a LAPS password ever again, and use a PIN or QR-code based login instead.

Enterprise edition also enables additional functionality, such as support for high availability, and advanced custom authorization rules.

See the page for information on how to trial or purchase an Enterprise Edition license.

Community Edition

Access Manager Community edition is our core offering, that contains the key features that an organization need to help defend themselves from lateral movement-based attacks. You can provide your users full access to Microsoft LAPS passwords and request just-in-time admin access to computers, all from the convenience of their browser.

Community edition allows the deployment of the Access Manager agent to up to 100 devices.

Community edition is completely free for any organization of any size to use, however no formal support is provided by Lithnet.

Feature comparison

Web app features

The Access Manager web app is the main feature of the product that your support staff and end users will be interacting with.

Feature
Community Edition
Enterprise Edition

Access to local admin passwords set by the legacy Microsoft LAPS agent

Access to local admin passwords set by the new Microsoft Windows LAPS agent

Access to local admin passwords and passphrases set by the Lithnet Access Manager Agent

Access to BitLocker recovery passwords

Just-in-time administrative access to Windows computers

Just-in-time access to custom roles

Limited to 3 roles

Review and approve RapidLAPS login and elevation requests

'Read aloud' function for passwords (where supported by the browser)

Phonetic display of passwords

Access to local admin password history 3

Show the local admin username 3

Trigger LAPS password change when the password has been accessed 4

Customize and brand the web app user interface

Lithnet Access Manager Agent features

Access Manager comes with its own agent which enables RapidLAPS, support for passphrase-based LAPS passwords, and BitLocker recovery key backup.

Community edition customers can deploy up to 100 agents in their environment.

Feature
Community Edition
Enterprise Edition

Manage local admin passwords

Limited to 100 devices

Generate passphrases for LAPS passwords

Limited to 100 devices

Retain historical local admin password history

Backup BitLocker recovery keys 5

Limited to 100 devices

Passwordless login via RapidLAPS 5

Limited to 100 devices

Passwordless elevation via RapidLAPS 5

Limited to 100 devices

Support for domain-joined Windows devices

Limited to 100 devices

Support for non-domain joined Windows clients

Limited to 100 devices

Support for macOS devices (Intel and arm64)

Limited to 100 devices

Support for Microsoft Entra-joined Windows 10 and higher devices

Limited to 100 devices

Support for Linux distributions (x64, arm64) 2

Limited to 100 devices

Just-in-time access features

Feature
Community Edition
Enterprise Edition

Just-in-time administrative access to Windows computers

Just-in-time access to Active Directory role-based groups

Limited to 3 roles

BitLocker features

Feature
Community Edition
Enterprise Edition

Read BitLocker recovery passwords from AD

Read BitLocker recovery passwords from non-AD joined devices 1

Limited to 100 devices

Authentication features

Access Manager supports several authentication mechanisms. You can use a modern authentication provider like Microsoft Entra ID or Okta to add MFA support to your Access Manager instance.

Feature
Community Edition
Enterprise Edition

Support for Integrated Windows Authentication

Support for OpenID Connect

Support for WS-Federation

Support for smart-card authentication

Auditing features

Feature
Community Edition
Enterprise Edition

Log events to the Windows event log

Send audit notifications via webhooks

Send audit notifications via email

Send audit notifications via custom PowerShell scripts

Send audit notifications to Splunk HEC

Infrastructure

Feature
Community Edition
Enterprise Edition

Multi-domain support

Cross-forest trust support

Single-server deployments

Load-balanced deployments

Authorization features

Feature
Community Edition
Enterprise Edition

ACL-based authorization

Custom PowerShell script-based authorization

Global rate-limiting on requests

Import Microsoft LAPS permissions from Active Directory

Import BitLocker recovery password permissions from Active Directory

Import local admin permissions from computers

Import permissions from CSV file

Configuration management features

Feature
Community Edition
Enterprise Edition

Manage AMS groups from the UI

Manage AMS groups from PowerShell

Manage AMS devices from the UI

Manage AMS devices from PowerShell

Manage AMS registration keys from the UI

Manage AMS registration keys from PowerShell

Create and modify authorization rules using the UI

Create and modify authorization rules using PowerShell

Support

Feature
Community Edition
Enterprise Edition

Enterprise support by Lithnet

  1. Requires the use of the Lithnet Access Manager Agent

  2. Requires the use of the Lithnet Access Manager Agent or the Microsoft Windows LAPS client

  3. Not supported when using the Microsoft Windows LAPS client and storing the password in Microsoft Entra

  4. Current supported on Windows devices only

See the page on for more details

licensing
supported Linux operating systems