Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Get Quote

 
  

What is LAPS?

Local Administrator Password Solution (LAPS) is a local account password management solution from Microsoft, released in the year 2015. LAPS uses a GPO client-side extension (CSE) that helps in randomization of local administrator account passwords across the domain. It stores the local administrator account's password as a confidential attribute in the computer's corresponding Active Directory object. The domain administrators can grant read access for the locally stored passwords to the authorized users like help desk administrators.

Before the introduction of LAPS, for easy implementation, same password was used for administrator accounts of all the computers in a domain. Attackers could easily move laterally in such networks by carrying out credential replay and Pass-the-Hash attacks. LAPS solves this problem of using a common password for local administrator accounts, protecting the organization's network from unnecessary risks.

LAPS capabilities

  • Monitors the local administrator password for expiry. Generates a new password when the old password expires or is required to be changed before expiration.
  • Validates the password against the password policy.
  • Provides the ability to configure password parameters such as complexity, and age.
  • Stores the next expiration date as an attribute for the computer account in the Active Directory.
  • Protects passwords in Active Directory using access control lists (ACLs).

Since LAPS contains domain-wide, local administrator security information, it is important to continuously keep track of who is viewing or modifying local admin credentials.

Simplify LAPS auditing and reporting with ADAudit Plus.

Fully functional 30-day trial

ADAudit Plus simplifies LAPS password history tracking by offering predefined LAPS Audit reports along with intuitive graphical representation of the same for the ease of comprehension. ADAudit Plus also provides the option to generate custom reports and export them in your preferred format (PDF, XLS, HTML, and CSV).

Once ADAudit Plus has been installed, it automatically configures audit policies required for Active Directory auditing.

To enable automatic configuration: Log in to the ADAudit Plus web console → Domain Settings → Audit Policy: Configure.

Changes in LAPS can be identified by following the below mentioned steps:
  • Login to ADAudit Plus
  • Select the required Domain from the dropdown list
  • Go to the Reports tab
  • Navigate to LAPS Audit
  • Select LAPS Password Read
The following are some of the details you can get in this report:
  • Object Name - Name of the computer object
  • Modified time - The time at which the LAPS attribute was modified
  • Who Changed - Name of the user who made the change
  • Domain Controller - Name of domain controller
  • Message - Explains the LAPS modification in verbose format
  • Modified attributes - Indicates the LAPS attribute that has been altered
  • Remarks - States the type of access.
LAPS password expiry changes can be tracked by following the below mentioned steps:
  • Login to ADAudit Plus.
  • Select the required Domain from the dropdown list.
  • Go to the Reports tab.
  • Navigate to LAPS Audit.
  • Select LAPS Password Expiry Changes.
The following are some of the details you can get in this report:
  • New account name - Name of the computer object.
  • Caller user name - Name of the user who has modified password expiration time and date.
  • Modified time - The time at which the password expiration value has been modified.
  • Modified attributes - Indicates the LAPS attribute that has been altered.
  • New value - The present password expiration date and time after the modification.
  • Old Value - The expiration date and time before the modification.

About ADAudit Plus

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, and reports Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. ADAudit Plus simplifies LAPS auditing by offering predefined reports with intuitive graphs that are easy to comprehend. The solution also sends real-time alerts for critical events and helps you to secure your network from threats and boosts your IT security posture. Check out the capabilities of ADAudit Plus here.

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free
 

ADAudit Plus Trusted By