Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v3.0
v3.0
  • Home
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • What's new in Access Manager v3
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Upgrading from Access Manager v2
      • Considerations for migrating from Access Manager v2
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
    • Installing the Access Manager Agent
      • Enabling agent support on the AMS server
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Microsoft Entra ID
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up RapidLAPS
      • LAPS
        • Setting up Microsoft LAPS for Active Directory
        • Setting up Microsoft LAPS for Entra
        • Setting up Lithnet LAPS
      • Just-in-time Authentication (JIT)
        • Setting up JIT for computers
        • Setting up JIT for roles
      • Setting up BitLocker access
        • Setting up access to BitLocker keys stored in Active Directory
        • Setting up BitLocker recovery key backup and access using the Access Manager Agent
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Microsoft Entra
      • Getting started with RapidLAPS
    • Product lifecycle
    • Choosing between the Lithnet and Microsoft agent for LAPS
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
      • KB000009: Access Manager may return an out-of-date LAPS password, or no password at all
      • KB000010: The Access Manager agents fail to register on macOS 15 (Sequoia)
      • KB000011: Users report delays in obtaining just-in-time access via AD
      • KB000012: Troubleshooting Windows authentication in the Access Manager Web App
      • KB000013: Access Manager cannot be installed on Windows Server 2016 with TLS 1.0 disabled
    • Advanced help topics
      • Creating an Entra app registration or Access Manager
      • Setting up agent policies
      • Managing word lists
      • Password history retention
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
      • Group policy configuration
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Add-AmsIdpClaimMapping
      • Clear-AmsIdpClaimMapping
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsActiveDirectoryJitGroupCreationRule
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsFveRecoveryKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsIdpClaimMapping
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • Get-AmsServiceConfig
      • New-AmsActiveDirectoryJitGroupCreationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsActiveDirectoryJitGroupCreationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitGroupCreationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
      • Set-AmsServiceConfig
    • Application help pages
      • Host configuration page
      • App Configuration
        • AMS License configuration page
        • Authentication configuration page
        • Email configuration page
        • Rate limit configuration page
        • IP Address detection configuration page
        • User interface configuration page
        • Auditing page
        • Security page
        • Database configuration page
      • Access Manager Agent
        • Access Manager Agent - Agent registration page
        • Agent Policies
          • Access Manager Agent - Windows polices page
          • Access Manager Agent - macOS polices page
          • Access Manager Agent - Linux polices page
          • Access Manager Agent - Legacy AMSv2 policies page
        • Access Manager Agent - Password settings page
        • Access Manager Agent - Devices page
        • Access Manager Agent - Groups page
      • Directory Configuration
        • Active Directory configuration page
          • Microsoft LAPS configuration page
          • Lithnet LAPS configuration page (Active Directory)
          • Just-in-time access configuration page
          • BitLocker configuration page
        • Microsoft Entra configuration page
      • Authorization Rules
        • Computer authorization rules page
        • Role authorization rules page
      • Effective access page
    • Getting Support
Powered by GitBook
On this page
  • Step 1: Enable agent support on the AMS server
  • Step 2: Deploy the Access Manager agents
  • Step 3: Create an encryption certificate
  • Step 4: Configure Access Manager Agent policy
  • Step 5. Enable password management
  • Step 6. Configure the local account to manage
  • Step 7. Configure password history settings
  • Step 8. Configure password generation
  • Generating passwords
  • Generating passphrases
  • Step 10: Assign access
  • Step 11: Validate access

Was this helpful?

  1. Configuration
  2. Deploying Features
  3. LAPS

Setting up Lithnet LAPS

PreviousSetting up Microsoft LAPS for EntraNextJust-in-time Authentication (JIT)

Last updated 10 months ago

Was this helpful?

The Access Manager agent can manage the local admin password for your Windows, macOS, and Linux devices, no matter if they are joined to Active Directory, Entra ID, or are managed by some other mechanism.

The passwords are encrypted and stored on the Access Manager Server to allow retrieval via the Access Manager web app.

Lithnet LAPS provides several benefits over the Microsoft LAPS offerings

  • Support for using passphrases as LAPS passwords

  • Support for Windows devices that are not joined to an Active Directory or Entra ID tenant

  • Support for macOS devices

  • Support for Windows devices

Note, you do not need to use Lithnet LAPS to use the RapidLAPS feature if you are already using Microsoft LAPS. You will however still need to install the Lithnet Access Manager agent.

Step 1: Enable agent support on the AMS server

Follow the steps in

Step 2: Deploy the Access Manager agents

Deploy the .

Step 3: Create an encryption certificate

Access Manager requires an encryption certificate to be configured, to facilitate encryption of sensitive passwords.

From the Access Manager Agent/Password settings page, press the Generate new... button, to create a new encryption certificate.

Backup this certificate when prompted and store it in a safe place. If you lose this certificate, you will not be able to decrypt any passwords stored in the directory. There are no other recovery options.

These certificates can be generated by AMS itself, or imported. Depending on your threat model, you may elect to store this certificate in other cryptographic backend supported by Windows CNG, such as a hardware security module (HSM).

Step 4: Configure Access Manager Agent policy

AMS uses agent policies to configure the behavior of Lithnet Access Manager agents.

Select the appropriate operating system policy section from under the Access Manager agent/Agent policies section of the config app.

Find or create a policy that applies to the computers you want to manage the password for.

Step 5. Enable password management

To configure the agent to manage and automatically, rotate the local administrator password on the device, tick the "Enable password management" box

If Microsoft LAPS is configured to manage the password on a device, the Access Manager Agent's password change capability will be disabled

Step 6. Configure the local account to manage

Next, determine the local account you would like the Access Manager Agent to manage:

  • If Built-in admin account is selected, the Access Manager Agent will manage the password of the OS-specific "default" admin account:

    • For Unix-based operating systems (e.g. macOS and Linux), this means the root account.

  • If Other account is selected, the Access Manager agent will manage the password of the account with the name specified in the field below.

You can optionally configure the following settings for managing local accounts:

  • Create account if it does not exist: If this setting is enabled, the Access Manager Agent will create a local account with the specified name if it does not exist on the device.

    • Note: This setting is unavailable for Linux.

  • Enable account if it is disabled: If this setting is enabled, the Access Manager Agent will automatically enable the managed administrator account if it is disabled.

    • Note: This setting is unavailable for Linux.

  • Remove exiting LAPS passwords from Active Directory if present: If this device's local administrator password was previously stored in Active Directory, this setting will attempt to clear existing passwords once the agent checks in (if applicable).

Step 7. Configure password history settings

Access Manager can keep historical local administrator passwords, which may be useful if you need to restore machines from backup.

You can optionally configure the following settings for historical password retention:

  • Maximum password age (days): The maximum number of days before the password must be rotated. For example, if this is set to 7, then the password would be rotated after 7 days.

  • Number of previous passwords to keep: The number of historical passwords to store in the Access Manager database.

  • Number of days to keep previous passwords: The number of days to keep historical passwords for; setting this field to "0" disables aging out of historical passwords.

Step 8. Configure password generation

The Access Manager Agent can generate either passwords, or passphrases.

Generating passwords

Set the Generation mode to Password.

Next, configure the different parameters for passwords the Access Manager Agent will generate.

Use the Generate button at the bottom of the page to preview a password generated using the settings you selected.

It is important to ensure that the configured settings are compatible with any local account password requirements you may have in your environment.

Generating passphrases

Set the Generation mode to Passphrase.

Next, select the word list that the Access Manager will use to generate passphrases by clicking the Select button next to the word list box.

Finally, configure the different parameters for passphrases the Access Manager Agent will generate.

Use the Generate button at the bottom of the page to preview a password generated using the settings you selected.

Step 10: Assign access

Once the agent is deployed, and the policy configured, you can now configure access to individual users and groups using the AMS configuration tool.

From the Authorization rules/Computers page, select Add... to create a new target. Select the tenant, directory, device group, or computer you want to assign access to, and provide a friendly description for this rule. This will appear in audit logs if a user is granted access.

Select Edit Permissions... to open the ACL editor. Assign the appropriate users and groups permission to read the local admin password.

You can optionally choose to expire the local admin password a period of time after it has been accessed. This will cause the Access Manager Agent to generate a new password after its next check-in time.

If you'd like to be notified when someone accesses a LAPS password, select the notification channels you'd like to send to for success and failure events.

Step 11: Validate access

Log in to the Access Manager web app as an authorized user, and request access to the password for a computer. If you have performed the steps correctly, you should be able to see the machine's password.

See the guide on for more information on policy targeting and creation.

For Windows agents, this means the

For more information on configuring your own word lists, see the guide.

If passwords cannot be retrieved, double check that you have followed the steps in this article, and see the for how to find the Access Manager server logs to help understand and resolve the issue.

Enabling agent support on the AMS server
Access Manager agent to your devices
creating and managing policies
default Windows "Administrator" account
managing word lists
troubleshooting guide