LAPS: Meaning of Setting - Short words with unique prefixes
The update to LAPS for Windows 11 24H2 and Windows Server 2025 introduced new configuration options including the ability to use passphrases rather than passwords. Operationally this is add some benefits. However, the official documentation - https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts-passwords-passphrases#passphrase-word-lists doesn't provide a very good explanation for the setting "Short words with unique prefixes" The examples in the documentation and observations from implementation do not align with the short description. For example, from implementation: IodineIslandNectarRagweedCivilianZillion The word phrases are not exactly short; 6+6+6+7+8+7 = 40 characters, and nor is their a unique prefix. Does anyone have a better explanation as to the meaning of passwordcomplexity setting 8 in LAPS (post 24H2)? Cheers Paul P.S. the LAPS password above is no longer valid as it has been rotated.
Implementing LAPS
Translated with google Good morning, in the test environment I am trying to activate the LAPS features. The activation seems to have been successful. From the computer that acts as DC in AD it shows me the DSRM user password. While from the computer account of the test PC for LAPS no account or password is displayed. Obviously I created a GPO for the application of the LAPS parameters I have already restarted the PC several times and performed a GPupdate /force What can I check to have LAPS active on the client too? This is the data of the test network PC: W11 Pro 10.0.26100 build 26100 Server: W2025 srv Datacenter 10.0.26100 build 26100 Domain functional level 2025 Forest functional level 2025 ----------------------------------------------------------------------------------------------------------------- Buongiorno,in ambiente di test stò provando ad attivare le funzionalità LAPS. L'attivazione sembra essere andata a buon fine. Dal computer che fà da DC in AD mi fà vedere la password dell'utenza DSRM. Mentre dall'account computer del PC di test per LAPS non è visualizzato nessun account e nessuna password. Ovviamente ho creato una GPO per l'applicazione dei parametri LAPS Ho già riavviato più volte il pc ed eseguito un GPupdate /force Cosa posso verificare per avere LAPS attivo anche sul client? Questi i dati della rete di test Pc: W11 Pro 10.0.26100 build 26100 Server: W2025 srv Datacenter 10.0.26100 build 26100 Livello funzionale del dominio 2025 Livello funzionale della foresta 2025
Removing local admin from users and adding "Users" group to "Allow log on locally"
Hello, For security reasons we want to remove local admin rights for our users on their work laptops, I have found a way to do this using LAPS. The issue I am experiencing is that for some reason "Users" is not a working local group and it's not added to "Allow log on locally" by default. I added "Gebruikers" (the local users group in Dutch) to the security baseline which sets groups that are allowed to log on locally, this works but the issue is that this policy applies after the LAPS policy so if users get a new laptop and it gets locked they can't log back in and I have to manually change the Group Policy setting with an admin account. I was thinking maybe a remediation script could solve this if it checks for the right Group Policy and adds the device to a specific group for LAPS but I have no idea where to begin. Any tips would be appreciated! Best regards, Nick
LAPS Creation using Intune
Hi All I am trying to get Intune to create a Local Admin Account and I am using the method of adding OMA-URI Settings but for some reason the account is created but it's not adding to the administrator local group on the machine. Under OMA-URI the following settings was added ./Device/Vendor/MSFT/Accounts/Users/apexadmin/LocalUserGroup Would anyone know its not adding to the local admin group on the machine?Windows Server 2025 LAPS : Update-LapsADSchema error
I set up two new WS2025 server machines and promoted them as DCs. FFL and DFL = 2025. I tried to follow up the steps for activating LAPS in Active Directory, but I'm stucked on the first step for extending the AD schema. When I execute the command Update-LapsADSchema I get the following error: Update-LapsADSchema : An operation error occurred. At line:1 char:1 + Update-LapsADSchema + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Update-LapsADSchema], DirectoryOperationException + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,Microsoft.Windows.LAPS.UpdateLapsADSchema I run this as domain admin on the domain controller in an administrative powershell console, this account is a member of Schema and Enterprise Admins. Any help appreciated. Regards Uwe
Intunes LAPS
Hello, We are in the process of deploying Intune. For the Windows LAPS part, out of 90 workstations we only have 8 that have integrated it correctly and are visible in Intune and Azure, the others have ID 10024 for some, and ID 10013 with error 0x80070002 for others. It is activated in Entra, the intune profile deleted and recreated just in case, but I can't find the problem. Would you have an idea? Thank you very much.
LAPS Rotate pass on Intune
Hello, can you explain how this possibility works ? "OMA-URI setting to Rotate Local Admin Password Another method for rotating the local admin password is by using the OMA-URI setting “Actions/ResetPassword.” This approach allows you to immediately change the password of the managed local admin account without having to wait for the “Password age days” value to expire, providing." - Where should I insert this line ? - at what time it is triggered ? - can i enable and disable at any time ? I want every hour or every 2 hours the chosen laptop group, should receive the new rotated password. Thanks a lotUsing Windows LAPS along legacy LAPS
Good afternoon folks, I trying to figure out a thing or two for using Windows LAPS in our domain. First , we do have legacy LAPS configured and used in our domain. We still have Servers with Windows Server 2k12R2 and 2k16. They both need to use the legacy LAPS because they are not supported for using Windows LAPS. I was planning using emulation mode so that we do not introduce new ways to do things while some legacy configuration are around. So until we get rid of the older OSes, legacy emulation mode should remain. I was planning to make two policies applied using WMI filters and only for LAPS: One for the Windows LAPS config and the other for legacy LAPS config, both targeted to the proper OS. Am I right in my configuration? The way I am seeing it is: That using two policies, no servers should receive configurations that are not set for them. I can uninstall the legacy client on the newer servers and leave the old client on the older OSes. Helpdesk will continue to use the LAPS tool to retrieve the password. We still target the same account using both policies. To achieve that config I will require to: Extend the schema for Windows LAPS. Configure two policies using WMI filters and configure the right options: On the one newer OS, I need both legacy and Windows LAPS policies set (Emulation mode only for the Windows LAPS). On the older OS policy, only the legacy one. Remove the legacy client on the new OSes. Any idea or suggestion? Am I missing something about the requirements of both mode or any incompatibility using what I am planning to? Thanks a lot for any comments. Mathieu
