In most Active Directory infrastructures, each workstation has a local administrator account. This account is often poorly managed, and in some cases its password is identical on all machines. As a result, an attacker who compromises one of the machines can easily pivot on the network.

To solve this problem, Microsoft introduced LAPS v1 (Local Administrator Password Solution) in 2015, then released a more comprehensive version in 2023.

This article looks at how the two versions work, and the main differences between them.

LAPS v1

The first version of LAPS works on a simple principle:

  • The password for the local administrator account is automatically generated by the machine.
  • It is then stored unencrypted in the computer object corresponding to the machine, in the ms-MCS-AdmPwd attribute.
  • Specific rights are configured via ACLs to restrict reading of this password
  • A GPO indicates the password rotation frequency and the targeted account

This version poses several problems:

  • The password is stored in clear text. This means that any user with the right to read the attribute where the password is stored can retrieve the account password.
  • No trace is left when the password is consulted, which poses traceability problems.
  • The password is not stored locally, so if the machine cannot reach the domain, it is impossible to retrieve the password.

Windows LAPS

With Windows LAPS (included in the latest versions of Windows 10/11 and Server 2019/2022), Microsoft has revised certain mechanisms.

Security

  • Passwords are no longer stored unencrypted in the AD.
  • It is encrypted on the client side before being sent, and can only be decrypted by authorized accounts.
  • Even if a user has read access to the msLAPS-Password attribute, he can’t do anything without decrypting the password, which is encrypted with the domain’s private key.
  • Bitloker key storage

Audit

  • Every time a password is read, it is recorded in event logs.
  • This guarantees the traceability of password readings.

Local storage

  • The LAPS password is now also stored locally, encrypted with DPAPI.
  • This allows the machine to restart or remain offline without losing track of the password.

Azure AD integration

  • It now works with Azure AD
  • Intune can manage it without an additional agent