Update Active Directory default schema with LAPS

Update Active Directory default schema with LAPS



 Feb 16 2024
3 Comments (3 New)
In the backlog


Windows LAPS requires Active Directory schema update to be fully functional - such updates are often quite difficult to implement on large environments, due the amount of operational risks and approvals tied to them.

With LAPS now part of the operating system instead of being on a third-app level, it would make sense to add corresponding attributes and classes to default AD schema when building a new Active Directory.

Maybe for Windows Server vNext, which will include several AD enhancements for the first time in many years ?





Hi @Alban1998 ,


Thank you for your feedback. This is definitely an issue that I have considered. The only reason the new Windows LAPS schema was not already natively incorporated into the baseline AD schema is due to the out-of-band nature of when and how Windows LAPS was first backported. Given the timing of that backport (did not align with a Server OS release), I chose the simplest and most robust option which was to just ship a standalone cmdlet (Update-LapsADSchema) for this purpose.


Ignoring those background historical details :-), you are correct that the feature would be better off if the Windows LAPS schema was natively part of the base AD schema.  I am tracking this work item but it probably will not make it in for Windows Server 2025.






Status changed to: In the backlog
Iron Contributor

Hello @Jay Simmons , thanks for your feedback. Let's wait for Windows Server 2028 then :)