Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on domain-joined computers. Passwords are securely stored in Active Directory (AD) so only appropriate COUA and PRPLUS accounts can access them.
USGS’s enterprise LAPS implementation results in every domain-joined Windows computer (both client and server operating systems) having a local usgs_laps account, each with a unique password and expiration date. The password can be viewed/copied or reset using Active Directory Administrative Center (ADAC), Active Directory Users and Computers (ADUC), or PowerShell cmdlets.
Local sites need to ensure the usgs_laps account is included in the local Administrators group, whether via a Restricted Groups GPO or some other process. Other accounts used for interactive local admin access need to be removed once usgs_laps functionality is confirmed.
Getting the LAPS password via ADAC/ADUC
- Navigate to or search for the computer object
- Right-click on it and select Properties
- Bring up the LAPS tab (under Extensions in ADAC):
ADAC:
ADUC:
- Click Copy Password to copy to the clipboard (or Show Password if you just want to view it for some reason)
Getting the LAPS password via PowerShell
When Windows LAPS is installed, a PowerShell module named LAPS is installed as well. This module includes a Get-LapsADPassword cmdlet that can be used as follows (last command copies the password to the clipboard):
Resetting the LAPS password via ADAC/ADUC
- Navigate to or search for the computer object
- Right-click on it and select Properties
- Bring up the LAPS tab (under Extensions in ADAC):
ADAC:
ADUC: - Click Expire Now to initiate a password reset the next time the computer does a group policy update (in the office or via VPN/Ivanti/GlobalProtect)
Note: Do not modify LAPS fields in the Attribute Editor tab manually
Resetting the LAPS password via PowerShell
When Windows LAPS is installed, a PowerShell module named LAPS is installed as well. This module includes a Reset-LapsPassword cmdlet that can be used as follows:
Frequently Asked Questions (FAQs)
When is the LAPS password reset?
The LAPS password automatically resets every 30 days and/or 24 hours after logging in using the usgs_laps account.
When the password is set, its expiration is set for 30 days in the future. After expiration is reached, the password is reset by group policy update (and expiration is moved back another 30 days). This use of group policy means 1) passwords don’t reset until computers are connected to the DOI network (in the office or via VPN/Ivanti/GlobalProtect), and 2) the usgs_laps password is always “in sync” between the local account and Active Directory.
Can a LAPS password be recovered if a computer account has been deleted from Active Directory?
Domain Administrators can recover the LAPS password for a computer account up to 60 days after it has been deleted from Active Directory. Contact the Service Desk to submit a LAPS password recovery request.
What if the LAPS password shows up blank when I look it up?
There could be a few reasons why you would not be able to see the LAPS password for a computer account. Listed here are a few of the most common reasons:
- Ensure you are using your OU or PLUS account and it is a member of the Full Admins group for your site.
- Ensure the computer account is within your site OU. Admins only have rights to view the LAPS password for computers within their OU.
- Ensure your site does not have inheritance disabled for group policy or delegated permissions.
- After verifying all of the above and you still cannot retrieve the LAPS password then contact the Service Desk and submit a ticket to get assistance.
How can I troubleshoot a single computer if the LAPS GPO is not applying?
See the following TST article to fix policy update failures: Fixing Group Policy Update Failures….
Where can I get more information on LAPS?
You can read Microsoft’s LAPS documentation or review the settings in the Bureau Enterprise Configuration – Windows LAPS Configuration group policy object.