Lithnet LAPS configuration page (Access Manager Directory)
Last updated
Last updated
AMS registered devices encrypt their passwords using a certificate provided by the AMS server. When a password change is required, the AMS server will provide the device with the public key of the active certificate, and it will use that key to encrypt the password.
When configuring LAPS for the first time, you'll need to create an encryption certificate, making sure to back it up to a location where it will be kept safe and secure.
If the encryption certificate is lost, passwords stored in the AMS directory are unrecoverable.
Shows the friendly name of the certificate
Shows the date that the certificate was generated
Shows the date that the certificate will expire
Indicates whether the certificate is active. Only the active certificate is used by clients to encrypt their passwords
At any time you can generate a new encryption certificate by clicking the Generate new button. Clients will not use this new certificate until you mark it as active.
If there are previously used certificates shown here, don't remove them. If clients have encrypted their passwords or password history with these old certificates, the AMS service will need them to be able to decrypt them.
It is imperative that you have a safe and secure backup of your encryption keys. Select a certificate to back up and click View Certificate. From the Details tab, click Copy to file.... This will launch the export certificate wizard, which will allow you to export the certificate and private key to a PFX file. Choose a strong password for the PFX, and store the file somewhere safe. It's best to have multiple copies of the file, including an 'offline' copy.
See the guide on restoring an encryption certificate from backup for details on how to restore an existing key from a backup.
If you've lost the private key, you can force the agents to set new passwords and encrypt them with a new key by reading the recovering from a lost encryption certificate guide. Unfortunately, there is no way to recover the encrypted password history.
AMS registered devices get their password policy from the AMS server itself. The default policy is used for all devices not covered by a custom password policy.
A friendly name for this policy
The name of the AMS group or Azure AD group that this policy applies to
Specifies the length of the password that is generated by the device
Specify the character types that must be present in the generated password
The maximum number of days before the password must be rotated. For example, if this is set to 7, then the password would be rotated after 7 days.
The minimum number of old passwords to retain in the database.
The minimum number of days to keep previous passwords. If your devices are backed up, you set this value to the maximum retention period for your backups, so that you can always go back and get the local admin password from a previous snapshot.
If both the Number of previous passwords to keep and Minimum number of previous passwords to keep setting is in use, then old passwords will not be removed until both thresholds have passed. For example, if you had a policy to generate a new password every day, to keep a minimum of 5 passwords, and to keep passwords for 365 days, you would have 365 passwords in your history. More examples are in the table provided below.
1
50
0
50
1
0
50
50
1
5
365
365
1
7
1
7
1
7
7
7
Custom password policies is an Enterprise edition feature
Custom password policies allow you to target specific policies to specific device groups. Policies can be assigned to AMS groups, or Azure AD groups of computers. Policies are processed in the order they appear on the screen, with the first matching policy taking precedence.
Password history is an Enterprise edition feature
