LAPS: Meaning of Setting - Short words with unique prefixes
The update to LAPS for Windows 11 24H2 and Windows Server 2025 introduced new configuration options including the ability to use passphrases rather than passwords. Operationally this is add some benefits. However, the official documentation - https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts-passwords-passphrases#passphrase-word-lists doesn't provide a very good explanation for the setting "Short words with unique prefixes" The examples in the documentation and observations from implementation do not align with the short description. For example, from implementation: IodineIslandNectarRagweedCivilianZillion The word phrases are not exactly short; 6+6+6+7+8+7 = 40 characters, and nor is their a unique prefix. Does anyone have a better explanation as to the meaning of passwordcomplexity setting 8 in LAPS (post 24H2)? Cheers Paul P.S. the LAPS password above is no longer valid as it has been rotated.
Implementing LAPS
Translated with google Good morning, in the test environment I am trying to activate the LAPS features. The activation seems to have been successful. From the computer that acts as DC in AD it shows me the DSRM user password. While from the computer account of the test PC for LAPS no account or password is displayed. Obviously I created a GPO for the application of the LAPS parameters I have already restarted the PC several times and performed a GPupdate /force What can I check to have LAPS active on the client too? This is the data of the test network PC: W11 Pro 10.0.26100 build 26100 Server: W2025 srv Datacenter 10.0.26100 build 26100 Domain functional level 2025 Forest functional level 2025 ----------------------------------------------------------------------------------------------------------------- Buongiorno,in ambiente di test stò provando ad attivare le funzionalità LAPS. L'attivazione sembra essere andata a buon fine. Dal computer che fà da DC in AD mi fà vedere la password dell'utenza DSRM. Mentre dall'account computer del PC di test per LAPS non è visualizzato nessun account e nessuna password. Ovviamente ho creato una GPO per l'applicazione dei parametri LAPS Ho già riavviato più volte il pc ed eseguito un GPupdate /force Cosa posso verificare per avere LAPS attivo anche sul client? Questi i dati della rete di test Pc: W11 Pro 10.0.26100 build 26100 Server: W2025 srv Datacenter 10.0.26100 build 26100 Livello funzionale del dominio 2025 Livello funzionale della foresta 2025Windows Server 2025 LAPS : Update-LapsADSchema error
I set up two new WS2025 server machines and promoted them as DCs. FFL and DFL = 2025. I tried to follow up the steps for activating LAPS in Active Directory, but I'm stucked on the first step for extending the AD schema. When I execute the command Update-LapsADSchema I get the following error: Update-LapsADSchema : An operation error occurred. At line:1 char:1 + Update-LapsADSchema + ~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Update-LapsADSchema], DirectoryOperationException + FullyQualifiedErrorId : System.DirectoryServices.Protocols.DirectoryOperationException,Microsoft.Windows.LAPS.UpdateLapsADSchema I run this as domain admin on the domain controller in an administrative powershell console, this account is a member of Schema and Enterprise Admins. Any help appreciated. Regards Uwe
Enabling LAPS on Exchange Servers
I have three Exchange 2016 Servers in our on-prem AD environment, and have been in the process of deploying LAPS across our organisation's members servers. Unfortunately, I've been unable to get LAPS to work properly on our Exchange Servers. Or more accurately, I've been unable to get the AD Computer objects, which represent our Exchange Servers, to inherit permissions from their parent OUs. The outcome of this, is that members of our "LAPS Password Readers" security group cannot read the LAPS password stored in AD. Attempts to Mitigate I've gone into the Computer Object representing say MX1. In Security > Advanced, clicked Enable Inheritance. Then it works fine for a short amount of time, before Inheritance is disabled again. I've manually added the Read permission for the ms-Mcs-AdmPwd attribute on the specific MX1 Computer Object. Doesn't work at all, the permission gets wiped straight away. Of course, I've done a bit of research, but have found little evidence to show other people suffering from this same issue. In fact, Reddit users with on-prem Exchange and LAPS users https://www.reddit.com/r/sysadmin/comments/yppz8c/laps_on_exchange_server/. My research into the issue of non-inheritable AD permissions points me towards stuff regarding highly privileged / protected accounts, an adminCount attribute in AD, and SDPROP. All of my Exchange Servers have an adminCount attribute of 1, which I think is because they are indirectly members of BUILTIN\Administrators, through membership of the 'Exchange Trusted Subsystem' group. That is, each server is a member of 'Exchange Trusted Subsystem', and 'Exchange Trusted Subsystem' is a member of BUILTIN\Administrators. A Microsoft Appendix about https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory mentions the AdminSDHolder object, which provides the template permissions applied to protected AD objects. Should I add my LAPS Password Readers" security group to the AdminSDHolder object, giving it the necessary permissions to get LAPS working? I'm surprised I've not found any official guidance in the LAPS documents or elsewhere about this tbh... Any advice would be appreciated! Thanks, Alex
