This site requires JavaScript to be enabled
Welcome|
Recent searches
IE BUMPER

Local Administrator Password Solution (LAPS) - FAQs

Number of views : 2
Article Number : KB0012536
Published on : 2023-11-20
Last modified : 2023-11-20 15:51:44
Knowledge Base : IT Public Self Help

This article applies to legacy LAPS (released in 2015).
For information on the new Windows LAPS (released in 2023) refer to https://ut.service-now.com/sp?id=kb_article&number=KB0019295.

Local Administrator Password Solution FAQs

  • Has the ISO approved the use of LAPS on campus?
    Yes, the ISO has approved the use of LAPS on campus.
  • Who has access to the password stored in Active Directory?
    Anyone with Full Control permissions on a computer object in AD can see its local Administrator password.  This includes any Department Administrators (which are created and managed in the Department User Tools) in addition to any member of a groups for which the Standard Computer delegation or LAPS delegation has been set.
    The Domain Administrators also have access to the password, but will not process requests from Departments to provide a password.  Obtaining a password should be handled by the Department Administrators or other delegated staff.
  • What is the difference between the Standard Computer Delegation and the LAPS Delegation?
    The Standard Computer Delegation provides Full Control to all computer objects under the specified OU.  This includes the ability to create new computer objects, delete any computer objects, and reset the account.
    The LAPS Delegation only provides the necessary permissions to read the confidential attribute where the local Administrator password is stored.
  • Is access to the password that is stored in Active Directory logged?
    Yes, ITS-Systems and ISO staff are able to audit access to the password stored in Active Directory.
  • Can I manage the password for multiple accounts on each computer?
    No.  LAPS can only be used to manage a single account on each computer.  This could be the built-in Administrator account OR a single custom local account.
  • Does LAPS set the local Administrator password to be the same password on each computer?
    No.  LAPS will generate a unique password for each computer.
  • I get the following error in a computer's Application log:
    Message: Could not write changed password to AD. Error 0x80070032
    Event ID: 7
    Source: AdmPwd
    This error indicates that the computer does not have the necessary permission to write the password to its object in Active Directory.  Please submit an AD Request to have permissions set on your Department OU.
  • Where can I submit a request for my Department to use LAPS?
    A Department OU owner should submit an AD Request with the following information: AD group that access to the password should be provided for and the OU to apply the delegation to (because of permission inheritance, this will affect all sub-OUs.)
  • Where can I get more information or ask additional questions?
     Contact the ITS Service Desk

Thank You! Your feedback has been submitted.

Feedback