title | description | author | ms.author | ms.date | ms.topic |
---|---|---|---|---|---|
Windows LAPS schema and rights extensions for Windows Server Active Directory |
Get details about schema and rights extensions to deploy and manage Windows Local Administrator Password Solution (Windows LAPS) in Windows Server Active Directory. |
jay98014 |
justinha |
07/04/2022 |
reference |
Use detailed information about schema extensions and extended rights to help you deploy or manage Windows Local Administrator Password Solution (Windows LAPS) in your Windows Server Active Directory deployment.
Windows LAPS offers specific schema elements for Windows Server Active Directory. To use any of the following Windows LAPS Windows Server Active Directory-based features, you must add these new schema elements to the forest by running the Update-LapsADSchema PowerShell
cmdlet.
Windows LAPS uses specific schema attributes that are stored on the computer object in Windows Server Active Directory for a managed device. The Update-LapsADSchema
cmdlet adds the schema attributes to the directory and to the mayContain
list on the computer schema class.
Tip
Many of the following attributes specify a SearchFlags
value of 904
. For easy reference, this value is composed of the following bit flags:
fRODCFilteredAttribute
fNEVERVALUEAUDIT
fCONFIDENTIAL
fPRESERVEONDELETE
This attribute contains a 64-bit integer that specifies the currently scheduled password expiration time in UTC.
Name: ms-LAPS-PasswordExpirationTime
LDAP display name: msLAPS-PasswordExpirationTime
OID: 1.2.840.113556.1.6.44.1.1
Syntax: 2.5.5.16
OmSyntax: 65
IsSingleValued: True
IsMemberOfPartialAttributeSet: False
SearchFlags: 0
AttributeSecurityGuid: <not set>
This attribute contains a Unicode string that specifies the clear-text version of the current password and other information.
Name: ms-LAPS-Password
LDAP display name: msLAPS-Password
OID: 1.2.840.113556.1.6.44.1.2
Syntax: 2.5.5.5
OmSyntax: 19
IsSingleValued: True
IsMemberOfPartialAttributeSet: False
SearchFlags: 904
AttributeSecurityGuid: <not set>
The data stored in this attribute is a JSON string that contains multiple name-value pairs. For example:
{"n":"Administrator","t":"1d8161b41c41cde","p":"A6a3#7%eb!57be4a4B95Z43394ba956de69e5d8975#$8a6d)4f82da6ad500HGx"}
Each name-value pair in the JSON string has a specific meaning:
Name | Value |
---|---|
"n" |
Contains the name of the managed local administrator account |
"t" |
Contains the UTC password update time represented as a 64-bit hexadecimal number |
"p" |
Contains the clear-text password |
This attribute contains a byte string that contains an encrypted version of the current password.
Name: ms-LAPS-EncryptedPassword
LDAP display name: msLAPS-EncryptedPassword
OID: 1.2.840.113556.1.6.44.1.3
Syntax: 2.5.5.10
OmSyntax: 4
IsSingleValued: True
IsMemberOfPartialAttributeSet: False
SearchFlags: 904
AttributeSecurityGuid: f3531ec6-6330-4f8e-8d39-7a671fbac605 (ms-LAPS-Encrypted-Password-Attributes)
This attribute contains a multi-valued byte string. Each value contains an encrypted version of an earlier password.
Name: ms-LAPS-EncryptedPasswordHistory
LDAP display name: msLAPS-EncryptedPasswordHistory
OID: 1.2.840.113556.1.6.44.1.4
Syntax: 2.5.5.10
OmSyntax: 4
IsSingleValued: False
IsMemberOfPartialAttributeSet: False
SearchFlags: 904
AttributeSecurityGuid: f3531ec6-6330-4f8e-8d39-7a671fbac605 (ms-LAPS-Encrypted-Password-Attributes)
This attribute contains a byte string that contains an encrypted version of the current Directory Services Restore Mode (DSRM) account password.
Name: ms-LAPS-EncryptedDSRMPassword
LDAP display name: msLAPS-EncryptedDSRMPassword
OID: 1.2.840.113556.1.6.44.1.5
Syntax: 2.5.5.10
OmSyntax: 4
IsSingleValued: True
IsMemberOfPartialAttributeSet: False
SearchFlags: 904
AttributeSecurityGuid: f3531ec6-6330-4f8e-8d39-7a671fbac605 (ms-LAPS-Encrypted-Password-Attributes)
This attribute contains a multi-valued byte string. Each value contains an encrypted version of an earlier DSRM account password.
Name: ms-LAPS-EncryptedDSRMPasswordHistory
LDAP display name: msLAPS-EncryptedDSRMPasswordHistory
OID: 1.2.840.113556.1.6.44.1.6
Syntax: 2.5.5.10
OmSyntax: 4
IsSingleValued: False
IsMemberOfPartialAttributeSet: False
SearchFlags: 904
AttributeSecurityGuid: f3531ec6-6330-4f8e-8d39-7a671fbac605 (ms-LAPS-Encrypted-Password-Attributes)
This attribute contains a binary GUID. The value represents the logical version of the most recently persisted password.
Name: ms-LAPS-CurrentPasswordVersion
LDAP display name: msLAPS-CurrentPasswordVersion
OID: 1.2.840.113556.1.6.44.1.7
Syntax: 2.5.5.10
OmSyntax: 4
IsSingleValued: True
IsMemberOfPartialAttributeSet: False
RangerLower: 16
RangerUpper: 16
SearchFlags: 904
AttributeSecurityGuid: f3531ec6-6330-4f8e-8d39-7a671fbac605 (ms-LAPS-Encrypted-Password-Attributes)
Windows LAPS extends the ms-LAPS-Encrypted-Password-Attributes
rights in Windows Server Active Directory. You can use the ms-LAPS-Encrypted-Password-Attributes
extended rights to grant managed devices SELF permissions to read and write various attributes that are described in the preceding sections.
Name: ms-LAPS-Encrypted-Password-Attributes
Rights guid: f3531ec6-6330-4f8e-8d39-7a671fbac605
Valid accesses: 48 (RIGHT_DS_READ_PROPERTY | RIGHT_DS_WRITE_PROPERTY)
Like Windows LAPS, legacy Microsoft LAPS also requires you to use schema extensions for a Windows Server Active Directory deployment. To help you plan a migration from legacy Microsoft LAPS to Windows LAPS, the following table shows a logical mapping of schema extension elements:
Windows LAPS schema element | Legacy Microsoft LAPS schema element |
---|---|
msLAPS-PasswordExpirationTime |
ms-Mcs-AdmPwdExpirationTime |
msLAPS-Password |
ms-Mcs-AdmPwd |
msLAPS-EncryptedPassword |
Doesn't apply |
msLAPS-EncryptedPasswordHistory |
Doesn't apply |
msLAPS-EncryptedDSRMPassword |
Doesn't apply |
msLAPS-EncryptedDSRMPasswordHistory |
Doesn't apply |