LAPS and MS14-025

This short post is to remind you few things regarding coexistence of LAPS and local account password management via Group Policy Preferences (GPP) after installing hotfix 2928120  

Management of local account passwords via GPP was not best thing to do from security perspective, so this functionality was disabled by hotfix mentioned above.

However, installation of hotfix just disbles ability of making changes to relevant parts of GPP, but keeps current settings in place, so as not to disrupt  processes that may be in place and rely on settings distributed by GPP.

When installing LAPS into the environment, people may forgot to remove local administrator password management settings from GPP, thinking it was removed by installation of the hotfix mentioned above. This results in having two independent processes managing password of local administrator account and invalidates password that LAPS stores in AD in computer account.

So when installing LAPS, please always make sure that local administrator password management settings are removed from GPP prior deploying LAPS.






Comments (16)

  1. Anonymous says:

    Hi Jiri, I'm trying to get some more information about some of the internals of LAPS. Is there a contact point or forum where this is best able to be discussed?

  2. Anonymous says:

    I have deployed and configured LAPS on my test environment and LAPS UI can't find my computer name and  cmdlet Get-AdmPwdPassword –ComputerName testvm1 doesn't display password either.  Any idea what might be causing this problem? I followed official LAPS operations guide during the LAPS deployment and all permissions are set correctly.

  3. Anonymous says:

    As of the new release dated July 7th, version 6.1, the Find-AdmPwdExtendedrights feature no longer works.  Any attempt, with any value, returns an error : "Find-AdmPwdExtendedrights : No such object found".

  4. @Chris: what are you interested in? I believe that quite a lot can be found in tech specs document downloadable with LAPS. Also, at is predecessor of LAPS, along with source code, so you can see yourself

    @Luu: Try updated version 6.0.1. We fixed bug that caused computers not to be found in forests with multiple domain trees

    @Dave: This was behavior of 6.0.0 when you ran cmdlet in forest that did not contain schema update for LAPS. We added switch in 6.0.1 that allows this. Are you sure you run 6.0.1 with switch?


  5. Anonymous says:

    Jiri, thanks for your response.  I was not a member of the schema admins group.  Once added. the Find-AdmPwdExtendedrights feature worked correctly.  Sorry about the oversight on my part.  The documentation does note that requirement.

  6. James says:

    When install LAPS on the management machine, is the LAPS GPO extension local, or should i see it in the domain

  7. @James: GPO templates are installed to local PolicyDefinitions folder on the machine you're installing LAPS GPO templates component.

    To make them visible in domain GPO, copy the ADMX/ADML file into PolicyDefinitions folders on GPO managed machines (if your company does not use central GPO template store) or into central GPO templates store


  8. Dee says:

    What are the changes in LAPS version 6.0.0. and 6.1?  Are these changes major differences?

    1. Hi Dee,
      please see dedicated article posted to this blog – summarizes changes


  9. Krish says:

    Hi Jiri, I have multiple child domain and each child domain got OU structure identical. For example Servers OU named Servers. So when I run Find-AdmPwdExtendedRights -identity Servers from child domain, it gives me error “find-admpwdextendedrights : More than one object found, search using distinguishedName instead” since it finds identical OU from each child domain within forest. Input of DN does not work either.

    1. Hi Krish,
      way with passing DN is expected to work. Can you share more details why it does not work and what you’re observing?


      1. Stefan says:

        We have a similar situation:
        You have to put the DN in “”
        Find-AdmPwdExtendedrights -identity “OU=Client,OU=Prod,DC=lab,DC=local,DC=lab”

  10. Ren says:

    Hello Jiri,
    I have setup LAPS in our environment.
    -I can see the password on Attribute.
    -we are not using the built in local admin account
    -Group Policy is setup correctly.
    -I checked the access and all setup correctly.
    The issue here is the password generated by LAPS is not working on the client machines.

    [Aaron Margosis] In what way is it not working? Is the account not allowed to log on, or does it say the password is wrong when you try?
  11. Adit Amar says:

    Hi Jiri, I want to know whether there is any central management or interface which tells us about the no. of system on which it is installed and not, just like WSUS interface. We want to know about the details in a centrally managed interface. Is there anything or so??

    1. Jiri wrote a few lines of code that utilizes his S.DS.P PowerShell module ( ) that will return the number of computers that are Enrolled and Not Enrolled in LAPS. Unfortunately there is no centrally managed interface. Here is the code:

      Import-Module S.DS.P
      $enrolledComputers=Find-LdapObject -searchFilter “(&(objectClass=computer)(ms-MCS-AdmPwdExpirationTime=*))” -searchBase $searchBase -LdapServer $Server
      $nonEnrolledComputers=Find-LdapObject -searchFilter “(&(objectClass=computer)(!(ms-MCS-AdmPwdExpirationTime=*)))” -searchBase $searchBase -LdapServer $Server
      “Enrolled: $($enrolledComputers.Count)”
      “Not enrolled: $($nonEnrolledComputers.Count)”

  12. ShoaibPatel says:

    Hi Guys, what if i have got couple of local administrator account on client. can LAPS will be smart enough to generate random pass for all local admin account passwords.

    [Aaron Margosis] LAPS manages one local account. There’s no real value in having more than one administrative local account. There’s no separation between accounts. Each account can take over any other local account.
Skip to main content