Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v3.0
v3.0
  • Home
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • What's new in Access Manager v3
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Upgrading from Access Manager v2
      • Considerations for migrating from Access Manager v2
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
    • Installing the Access Manager Agent
      • Enabling agent support on the AMS server
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Microsoft Entra ID
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up RapidLAPS
      • LAPS
        • Setting up Microsoft LAPS for Active Directory
        • Setting up Microsoft LAPS for Entra
        • Setting up Lithnet LAPS
      • Just-in-time Authentication (JIT)
        • Setting up JIT for computers
        • Setting up JIT for roles
      • Setting up BitLocker access
        • Setting up access to BitLocker keys stored in Active Directory
        • Setting up BitLocker recovery key backup and access using the Access Manager Agent
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Microsoft Entra
      • Getting started with RapidLAPS
    • Product lifecycle
    • Choosing between the Lithnet and Microsoft agent for LAPS
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
      • KB000009: Access Manager may return an out-of-date LAPS password, or no password at all
      • KB000010: The Access Manager agents fail to register on macOS 15 (Sequoia)
      • KB000011: Users report delays in obtaining just-in-time access via AD
      • KB000012: Troubleshooting Windows authentication in the Access Manager Web App
      • KB000013: Access Manager cannot be installed on Windows Server 2016 with TLS 1.0 disabled
    • Advanced help topics
      • Creating an Entra app registration or Access Manager
      • Setting up agent policies
      • Managing word lists
      • Password history retention
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
      • Group policy configuration
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Add-AmsIdpClaimMapping
      • Clear-AmsIdpClaimMapping
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsActiveDirectoryJitGroupCreationRule
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsFveRecoveryKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsIdpClaimMapping
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • Get-AmsServiceConfig
      • New-AmsActiveDirectoryJitGroupCreationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsActiveDirectoryJitGroupCreationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitGroupCreationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
      • Set-AmsServiceConfig
    • Application help pages
      • Host configuration page
      • App Configuration
        • AMS License configuration page
        • Authentication configuration page
        • Email configuration page
        • Rate limit configuration page
        • IP Address detection configuration page
        • User interface configuration page
        • Auditing page
        • Security page
        • Database configuration page
      • Access Manager Agent
        • Access Manager Agent - Agent registration page
        • Agent Policies
          • Access Manager Agent - Windows polices page
          • Access Manager Agent - macOS polices page
          • Access Manager Agent - Linux polices page
          • Access Manager Agent - Legacy AMSv2 policies page
        • Access Manager Agent - Password settings page
        • Access Manager Agent - Devices page
        • Access Manager Agent - Groups page
      • Directory Configuration
        • Active Directory configuration page
          • Microsoft LAPS configuration page
          • Lithnet LAPS configuration page (Active Directory)
          • Just-in-time access configuration page
          • BitLocker configuration page
        • Microsoft Entra configuration page
      • Authorization Rules
        • Computer authorization rules page
        • Role authorization rules page
      • Effective access page
    • Getting Support
Powered by GitBook
On this page
  • Option 1: Lithnet Access Manager agent
  • When should I use the Lithnet Access Manager agent?
  • Option 2: Legacy LAPS client
  • When should I use legacy LAPS?
  • Option 3: Windows LAPS client
  • When should I use Windows LAPS?
  • Operating system support
  • Supported join types
  • Feature comparison
  • Compatibility with password retrieval solutions

Was this helpful?

  1. Help and support

Choosing between the Lithnet and Microsoft agent for LAPS

Managing local admin passwords safely and securely relies on having a mechanism to generate and store the local admin passwords. There are three supported agents you can use with Access Manager to manage your device local admin passwords. This guide will help you choose the right option for your environment.

Option 1: Lithnet Access Manager agent

Lithnet Access Manager has its own agent that can be used to manage the local admin passwords of your devices. It has full support for encrypted passwords, password history, and is not just supported on Windows, but macOS and Linux as well.

As well as managing LAPS passwords in much the same way as the Microsoft agent, it adds support for backing up BitLocker recovery codes from any Windows device, and enables our new RapidLAPS passwordless LAPS login capability.

Pros

  • Supports Windows, macOS, and Linux

  • Encrypts all passwords, along with password history support

  • Support for "passwordless" elevation and LAPS login with RapidLAPS (Windows only)

  • Backs up BitLocker recovery keys (Windows only)

  • Supports Windows Server 2016 and higher, as well as Windows 10 and higher

  • Supports Active Directory joined, Entra ID joined, as well as standalone Windows devices

Cons

  • No support for out-of-date operating systems. Only supported on Windows 10 and above and Windows Server 2016 and above

When should I use the Lithnet Access Manager agent?

  • You wish to use the RapidLAPS feature on Windows devices.

  • You have macOS and Linux devices you want to support

  • You have Windows devices not joined to a domain

  • You want one LAPS client solution for your entire Windows and non-Windows fleet

Use the password management features of the Lithnet Access Manager agent is optional

For example, if you wish to keep using native Windows LAPS to manage passwords, but want to make use of features such as RapidLAPS, the AMS Agent can be configured to not manage passwords.

If the AMS Agent detects that either the Windows LAPS client or the legacy LAPS client is managing passwords on a device, it will not attempt to manage local account passwords (to avoid conflicts).

Mix and match!

It's important to note that you are not restricted to the use of a single LAPS client type in your environment.

For example, you can use the legacy LAPS client on legacy operating systems, Windows LAPS on modern operating systems, and Access Manager Agent on macOS and Linux devices.

Access Manager Server can read LAPS passwords from any client listed on this page.

Option 2: Legacy LAPS client

Microsoft's tried and true legacy LAPS client provides support for managing LAPS passwords for Active Directory joined devices. It supports a wide range of legacy and modern Windows operating systems.

Pros

  • Has the broadest support for OS coverage

  • Easy to deploy and configure via group policy

Cons

  • Windows only

  • Supports Active Directory domain-joined machines only

  • Passwords are stored in the directory in plain-text

  • Does not store a history of previously used local admin passwords

  • Deprecated and no longer being updated by Microsoft

When should I use legacy LAPS?

  • You have an existing deployment of legacy LAPS

  • You need to support legacy Windows operating system versions

Option 3: Windows LAPS client

In April 2023, Microsoft released LAPS as a built-in Windows feature. This also brought a range of new support for things like password history, encryption, and support for Microsoft Entra joined devices.

Pros

  • Support for both AD and Microsoft Entra joined devices

  • Has password history support

  • Optionally encrypts passwords stored in Active Directory

  • Built into Windows

  • Actively supported and developed by Microsoft

Cons

  • Windows only

  • No support for older operating systems that are still in support. Only supported on Windows 11, Windows Server 2019 and higher, and Windows 10 versions supported as of April 2023.

When should I use Windows LAPS?

  • Your organization has modern Windows operating systems either joined to Microsoft Entra or Active Directory

Operating system support

The Microsoft agents works only on Windows AD or Microsoft Entra-joined devices. Lithnet Access Manager agent supports a much wider range of operating systems.

Operating system
Microsoft Legacy LAPS Agent
Microsoft Windows LAPS Agent
Lithnet Access Manager Agent

Windows Vista, Windows 7 and Windows 8

Windows 8.1

Windows 10

Windows 11 and higher

Windows Server 2012 R2

Windows Server 2016

Windows Server 2019 and higher

macOS[1]

Linux[1]

Supported join types

Join type
Microsoft Legacy LAPS Agent
Microsoft Windows LAPS Agent
Lithnet Access Manager Agent

Active Directory joined devices

Entra ID joined devices

Non-domain joined devices (workgroup)

Feature comparison

Feature
Microsoft Legacy LAPS Agent
Microsoft Windows LAPS Agent
Lithnet Access Manager Agent

Regularly rotates the local admin password

Stores a history of previous local admin passwords

Stores passwords in plain-text

Encrypts passwords

Writes passwords to Active Directory

Write passwords to Entra ID

Write passwords to the AMS server

Backups up BitLocker recovery keys to AMS

Enables passwordless login and elevation via RapidLAPS

1. Windows LAPS can store passwords in plain text if configured

Compatibility with password retrieval solutions

Legacy LAPS thick client
Windows LAPS AD property pages
Windows LAPS PowerShell
Entra Admin Portal
Access Manager Service

Microsoft Legacy LAPS passwords stored in AD

Microsoft Windows LAPS passwords stored in AD

Microsoft Windows LAPS passwords stored in Microsoft Entra

Access Manager Agent passwords

PreviousProduct lifecycleNextSupport Articles

Last updated 10 months ago

Was this helpful?

1. See the for detailed operating system support for macOS and Linux agents.

1

downloads page