Microsoft LAPS configuration page
Last updated
Was this helpful?
Last updated
Was this helpful?
Access Manager can read LAPS passwords from Active Directory generated by both the new Windows LAPS and legacy Microsoft LAPS agents.
A list of forests is shown along with an indication of the deployment status of the legacy and new Microsoft LAPS schemas.
The legacy Microsoft LAPS schema uses an attribute called ms-mcs-admpwd to store the local admin password in plain text.
When configured, Access Manager will attempt to retrieve passwords stored in Active Directory stored by the legacy Microsoft LAPS agent.
When configured, Access Manager will attempt to retrieve passwords stored in Active Directory stored by the new Windows LAPS agent in either encrypted or unencrypted form.
This includes the ability to read encrypted passwords, as well as password history from Active Directory.
If you plan on using Lithnet Access Manager to read Microsoft LAPS passwords, you'll need to delegate permission for the AMS service account to read those passwords. You can use the built-in cmdlets from Microsoft's PowerShell modules, or click the Delegate LAPS Permissions button to generate a script to do this automatically.
Copy or save the script, modify the $OU variable as appropriate, and run it in with domain admin rights.
The new Windows LAPS agent in Windows 11 uses attributes called .
If you need to deploy the Microsoft LAPS schema, refer to the on how to complete this process.
