Choosing between the Microsoft and Lithnet agents for LAPS support

Managing local admin passwords safely and securely relies on having a mechanism to generate and store the local admin passwords, and a way for trusted users to access them.

Microsoft provides the Microsoft LAPS agent for generating and storing passwords in the directory, and the Microsoft LAPS client for accessing them.

Lithnet Access Manager also has an agent for generating and storing passwords in a directory, and a client for accessing them. The Access Manager Agent (AMA), can be used in place of the Microsoft LAPS agent to generate and store local admin passwords. The Access Manager Service (AMS) is a web-based service for accessing local admin passwords that is fully compatible with the Microsoft LAPS agent.

This guide will outline the feature differences between these products, and help you make a decision that is right for your environment.

Accessing local admin passwords

Lithnet Access Manager provides an alternative to the LAPS client by offering web-based access to Microsoft LAPS passwords in a more accessible and secure way. It offers an array of features not present in the native Microsoft offering, and significantly improves the usability and security of accessing LAPS passwords in your environment.

Feature comparison between the Microsoft LAPS client and the Lithnet Access Manager Service

Feature
Microsoft LAPS Client
Lithnet Access Manager Service

Allows access to Microsoft LAPS passwords stored in the Directory

Allows access to Lithnet Access Manager Agent encrypted passwords stored in the directory

Supports accessing passwords over cross-forest trusts

Static permissions via ACLs

Dynamic permissions via PowerShell scripts

Allows basic audit information to be captured

✔ 1

Allows detailed audit information to be captured

Log audit events to Windows event log

✔ 2

Log audit events to a file

Send audit events via email

Send audit events via a webhook

Send audit events via PowerShell

Web-based access

Mobile-device friendly

Access from non-Windows devices

Allows modern authentication and multi-factor authentication

Per-user and per-IP rate-limiting to prevent password harvesting

Restrict directory access to the passwords to a single service account

1. Enabling auditing of access to Microsoft LAPS passwords requires enabling directory object auditing

2. LAPS events can be lost in a sea of other directory-related audit events

The Access Manager Service is designed to take the pain away from desktop and server admins who have to use feature-limited tools to access these passwords. It also puts control in the hands of LAPS administrators and makes sure they can easy control who has access to the local admin passwords and keeps robust and detailed records of access events. It's the next generation of our trusted and proven Lithnet LAPS Web App.

Generating and storing local admin passwords

Lithnet Access Manager has its own agent you can deploy to computers to manage the admin password. It behaves in much the same way as the Microsoft LAPS agent with two important differences..

The first difference is that all passwords generated by the Access Manager Agent are encrypted before they are stored in the directory. The second is that the Access Manager Agent can be configured to store previous passwords in the directory as well. This helps in scenarios where a computer is restored from a backup or rolled back from a snapshot.

If you don't need either of these features, then stick with the Microsoft LAPS agent.

There is no difference to the functionality of the Access Manager Service when using either agent, apart from the fact that password history will not be available when using the Microsoft LAPS agent.

Feature comparison between the Microsoft LAPS agent and the Lithnet Access Manager Agent

Feature
Microsoft LAPS Agent
Lithnet Access Manager Agent

Regularly rotates the local admin password

Stores passwords securely in Active Directory

Requires a custom AD schema

Stores a history of previous local admin passwords

Stores passwords in plain-text

❌ 1

Encrypts passwords

Works without dependencies

❌ 2

1. Access Manager agent can store unencrypted passwords in the Microsoft LAPS attributes when in compatibility mode

2. Access Manager agent requires .NET Framework 4.7.2 or later to be installed on the computer

Compatibility

You can use the Access Manager Service with the Microsoft LAPS agent without having to deploy the Access Manager Agent. However, if you deploy the Access Manager Agent, you'll need to use the Access Manager Service.

Microsoft LAPS Agent Passwords
Access Manager Agent Passwords

Microsoft LAPS Client

Access Manager Service

Last updated