Local Administrator Password Solution (LAPS) is a Microsoft product that manages a local administrator password and stores it in Active Directory (AD) or Microsoft Entra (Note: as of 1/15/2025, the ability to store passwords in Microsoft Entra is disabled as there is currently no way to delegate password retrieval for specific devices to specific groups).
There are two varieties of LAPS, Windows LAPS and legacy Microsoft LAPS. Microsoft LAPS is deprecated as of Windows 11 23H2 but will be supported on older versions of Windows until the normal end of support for those operating systems. For the purposes of this page, any further mention of LAPS will refer to Windows LAPS unless explicitly stated otherwise.
The Microsoft Infrastructure (MI) team has implemented the LAPS schema extensions and created a default set of permissions to retrieve a password stored in AD. Use of LAPS by Delegated OU customers is optional but is generally recommended. It is the Delegated OU customer's responsibility to enable and configure LAPS for client computers and manage access to the stored passwords. The customer's side of the LAPS implementation consists of using a Group Policy Object (GPO) to apply desired LAPS settings on computers, and use of any administrative tools to retrieve a LAPS password.
Create or modify a GPO from a device that supports LAPS. The relevant settings will be located under Computer Configuration > Policies > Administrative Templates > System > LAPS. At a bare minimum, you must enable the “Configure password backup directory” setting to enable LAPS functionality. Apply the GPO to an Organizational Unit (OU) where you want to enable LAPS for all the computers underneath that OU.
IMPORTANT: DO NOT configure “Back up the password to Microsoft Entra-only” as this option is disabled in Entra and your LAPS password will not be saved.
The password can be retrieved using two common tools:
Note: These programs need to be “RunAs” an account with appropriate permissions to view the LAPS attributes.
Using ADUC, open the properties window for your target computer object and click the LAPS tab.
To retrieve a password using PowerShell, issue the following command. Get-LapsADPassword -Identity <ComputerName>. The password will be one of the returned attributes, it will be blank if the user does not have permission to read the password. If you chose to encrypt the LAPS password, you may need to add the -AsPlainText parameter to retrieve a human-readable password.
By default, each delegated OU has a LAPS Readers group that has permission to read the password for all computer objects in a delegated OU. For example, the Pottery OU has u_msinf_delou_pottery_lapsreaders. Each IT support organization can manage membership of this group to grant or deny the ability to retrieve a password. Only members of your OU Contacts group can manage your OU's LAPS Readers group. For example the Pottery OU Contacts is u_msinf_delou_pottery_oucontacts. To manage the members of this group navigate to the Groups Service, search for your Laps Readers group and add/remove members as necessary.
IMPORTANT: If you chose to enable password encryption with LAPS, make sure you also configure the "Configure authorized password decryptors" setting and add your 'u_msinf_delou_<ou>_lapsreaders' group or you will not be able to retrieve a plain text version of your LAPS passwords.
The MI team recognizes that there are more complex business needs that a single LAPS reader group cannot accommodate. Please contact us with an email to help@uw.edu to request help designing and implementing more granular permission structure.
LAPS is a Microsoft solution and you can find more at https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview.