Choosing between the Microsoft and Lithnet agents for LAPS support
Managing local admin passwords safely and securely relies on having a mechanism to generate and store the local admin passwords, and a way for trusted users to access them.
Microsoft provides the Microsoft LAPS agent for generating and storing passwords in the directory, and the Microsoft LAPS client for accessing them.
Lithnet Access Manager also has an agent for generating and storing passwords in a directory, and a client for accessing them. The Access Manager Agent (AMA), can be used in place of the Microsoft LAPS agent to generate and store local admin passwords. The Access Manager Service (AMS) is a web-based service for accessing local admin passwords that is fully compatible with the Microsoft LAPS agent.
This guide will outline the feature differences between these products, and help you make a decision that is right for your environment.
Accessing local admin passwords
Lithnet Access Manager provides an alternative to the LAPS client by offering web-based access to Microsoft LAPS passwords in a more accessible and secure way. It offers an array of features not present in the native Microsoft offering, and significantly improves the usability and security of accessing LAPS passwords in your environment.
Feature comparison between the Microsoft LAPS client and the Lithnet Access Manager Service
| Feature | Microsoft LAPS Client | Lithnet Access Manager Service |
|---|---|---|
Allows access to Microsoft LAPS passwords stored in the Directory | ✔ | ✔ |
Allows access to Lithnet Access Manager Agent encrypted passwords stored in the directory | ❌ | ✔ |
Supports accessing passwords over cross-forest trusts | ✔ | ✔ |
Static permissions via ACLs | ✔ | ✔ |
Dynamic permissions via PowerShell scripts | ❌ | ✔ |
Allows basic audit information to be captured | ✔ 1 | ✔ |
Allows detailed audit information to be captured | ❌ | ✔ |
Log audit events to Windows event log | ✔ 2 | ✔ |
Log audit events to a file | ❌ | ✔ |
Send audit events via email | ❌ | ✔ |
Send audit events via a webhook | ❌ | ✔ |
Send audit events via PowerShell | ❌ | ✔ |
Web-based access | ❌ | ✔ |
Mobile-device friendly | ❌ | ✔ |
Access from non-Windows devices | ❌ | ✔ |
Allows modern authentication and multi-factor authentication | ❌ | ✔ |
Per-user and per-IP rate-limiting to prevent password harvesting | ❌ | ✔ |
Restrict directory access to the passwords to a single service account | ❌ | ✔ |
1. Enabling auditing of access to Microsoft LAPS passwords requires enabling directory object auditing
2. LAPS events can be lost in a sea of other directory-related audit events
The Access Manager Service is designed to take the pain away from desktop and server admins who have to use feature-limited tools to access these passwords. It also puts control in the hands of LAPS administrators and makes sure they can easy control who has access to the local admin passwords and keeps robust and detailed records of access events. It's the next generation of our trusted and proven Lithnet LAPS Web App.
Generating and storing local admin passwords
Lithnet Access Manager has its own agent you can deploy to computers to manage the admin password. It behaves in much the same way as the Microsoft LAPS agent with two important differences..
The first difference is that all passwords generated by the Access Manager Agent are encrypted before they are stored in the directory. The second is that the Access Manager Agent can be configured to store previous passwords in the directory as well. This helps in scenarios where a computer is restored from a backup or rolled back from a snapshot.
If you don't need either of these features, then stick with the Microsoft LAPS agent.
There is no difference to the functionality of the Access Manager Service when using either agent, apart from the fact that password history will not be available when using the Microsoft LAPS agent.
Feature comparison between the Microsoft LAPS agent and the Lithnet Access Manager Agent
| Feature | Microsoft LAPS Agent | Lithnet Access Manager Agent |
|---|---|---|
Regularly rotates the local admin password | ✔ | ✔ |
Stores passwords securely in Active Directory | ✔ | ✔ |
Requires a custom AD schema | ✔ | ✔ |
Stores a history of previous local admin passwords | ❌ | ✔ |
Stores passwords in plain-text | ✔ | ❌ 1 |
Encrypts passwords | ❌ | ✔ |
Works without dependencies | ✔ | ❌ 2 |
1. Access Manager agent can store unencrypted passwords in the Microsoft LAPS attributes when in compatibility mode
2. Access Manager agent requires .NET Framework 4.7.2 or later to be installed on the computer
Compatibility
You can use the Access Manager Service with the Microsoft LAPS agent without having to deploy the Access Manager Agent. However, if you deploy the Access Manager Agent, you'll need to use the Access Manager Service.
| Microsoft LAPS Agent Passwords | Access Manager Agent Passwords | |
|---|---|---|
Microsoft LAPS Client | ✔ | ❌ |
Access Manager Service | ✔ | ✔ |
Last updated