LAPS updated to 6.0.1


We released update to LAPS last week. Changes in new version:

  • Fixed bug that caused computer account not to be found by LAPS UP and LAPS Powershell in forest containing multiple domain trees, and computer account was in different domain tree than tree of forest root domain
  • Added –SchemaNotUpdated switch parameter to cmdlet Find-AdmPwdExtendedPermissions that allows running this cmdlet in AD forest that does not contain LAPS AD schema update. Previously, doing this caused „No such object found“ error, because cmdlet looked for LAPS schema attribute in AD schema
  • LAPS UI: Replaced text box for password expiration with datetime picker
  • Fixed typos and better wording in ADMX templates
  • Updated documentation

 Download location did not change, so visit Download center for download


Comments (14)
  1. Anonymous says:

    Hello! I am trying LAPS in my testing environment and May I ask some questions? :

    – What is the name of service of LAPS running in AD?

    – How can i tackle with the event ID 3 Error Could not get local Administrator account? I got this error every 5 mins and I have no idea.

    Thank you very much!

  2. @John:

    – there is no service running on AD for LAPS – all logic is client based

    – for error 3, most likely you misconfigured name of admin account to ve managed in GPO. If you're managing built-in admin account, keep the policy "Name of admin account…" As Not configured. Only configure it when managing custom admin account


  3. John P says:

    Hello! I am finalizing a deployment in a higher edu environment, but one bit of feedback I am getting is the confusing font type used in the LAPS UI. Its possible to confuse some letters. Would love to see a clearer font used in future updates.


  4. CapnJax21 says:

    Hello – will this application work against machines not using English as their default language.  Having an issue where this application runs but fails on machines where the group is not named Administrators.


  5. @John P: Thanks for fedback, we will consider font change in future updates

    @CapnJax21: What are errors you're observing?


    1. brian says:

      January 2017… still a poor font. Any update on this?

      [Aaron Margosis] LAPS v6.2.0 was released last September and should address your concern. See
  6. CapnJax21 says:

    Basically could not find the "Administrators" group.

    I use a transform to deploy the msi that hardcodes the local admin account (it may be overkill).  After I commented on your blog, I searched through the other tables in the msi and found the rows that reference the local administrator group on the machine.  I retransformed the msi for all the languages I support and its now working.

    I haven't tried yet, but will the application resolve the Administrator group name in different languages if I do not explicity set the local admin account in the msi or is it specially looking for the group name "Administrator"?

  7. WoR_0407 says:

    Hi there,

    within delivered Document "LAPS_Datasheet.docx", the following is mentioned:


    >   Solution can be extended to provide additional functionality, such as:

    >   – Additional encryption of password stored in AD

    >   – Password history

    >   – Web UI

    Where can I find further Information?

    Kind Regards


  8. CapnJax21 says:

    Is there any way to view the history of passwords a computer had?  We ran into an issue here where one of our admins performed a system restore to a point in time where the admin account password was different that what is stored in AD.  After performing the restore, they also lost the trust relationship to the domain so they were stuck and needed to reimage which costs them alot of time and money…

  9. CapnJax21 says:

    @Jiri – I'm looking for the ability to retrieve the history of passwords for a system.  Can you point me in the right direction to that?  

  10. CapnJax21 says:

    more info – I'm using the 'free' version from Microsoft's Download center – does that not have the history builtin?  I found the ps script (Get-AdmPwdPassword -ComputerName mycomputername -includehistory) but it can't parse the includehistory parameter.  Any help would be appreciated.

    I also opened up a Premier Support ticket with Microsoft.  Took a while to explain to them what LAPS is!

  11. Melissa says:

    Hello! I am trying LAPS in server 2016 TP5 systems. When run ‘Update-AdmPwdADSchema’, always got the error:
    Update-AdmPwdADSchema : An operation error occurred.
    At line:1 char:1
    + Update-AdmPwdADSchema
    + ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Update-AdmPwdADSchema], DirectoryOperationException
    + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,AdmPwd.PS.UpdateADSchema
    I researched a lot, but could fix this. After a period, I run this command and I got a successful result, It is Odd. I could not figure out the reason, nor could not make it successful in other server 2016 TP5 DC servers. I just want to know if there is any additional requirements for LAPS running on server 2016 TP5?
    Thank you very much!

    1. @Melissa: I haven’t tested on TP5 yet. I’ll look at it in next few days and let you know


    2. Just tested on TP5 server provisioned in Azure. Result:

      Operation DistinguishedName Status
      ——— —————– ——
      AddSchemaAttribute cn=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=Configuration,DC=t… Success
      AddSchemaAttribute cn=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=tstforest,DC=com Success
      ModifySchemaClass cn=computer,CN=Schema,CN=Configuration,DC=tstforest,DC=com Success

      I would guess there’s something wrong in your environment?

      Thank you,

Comments are closed.

Skip to main content