Kaido Jarvemets - Logo

How to Update the Windows Server Active Directory Schema for the Latest Version of Windows LAPS

Microsoft has evolved its Local Administrator Password Solution, transitioning from the older Microsoft LAPS to the newly integrated Windows LAPS. This advancement streamlines the process for organizations, enabling them to manage local administrator passwords on their workstations and servers more efficiently. The need to separately download and install LAPS has been eliminated, as the latest iteration is seamlessly incorporated into recent Windows updates. This article delves into the steps required to update the Windows Server Active Directory schema in alignment with this new version of Windows LAPS.

Please read my previous blog posts before you continue:

New Windows LAPS Schema Attributes

Schema attributeDescription
msLAPS-PasswordExpirationTimeThis attribute contains a 64-bit integer that specifies the currently scheduled password expiration time in UTC.
msLAPS-PasswordThis attribute contains a Unicode string that specifies the clear-text version of the current password and other information.
msLAPS-EncryptedPasswordThis attribute contains a byte string that contains an encrypted version of the current password.
msLAPS-EncryptedPasswordHistoryThis attribute contains a multi-valued byte string. Each value contains an encrypted version of an earlier password.
msLAPS-EncryptedDSRMPasswordThis attribute contains a byte string that contains an encrypted version of the current Directory Services Restore Mode (DSRM) account password.
msLAPS-EncryptedDSRMPasswordHistoryThis attribute contains a multi-valued byte string. Each value contains an encrypted version of an earlier DSRM account password.

Active Directory Domain Requirements for Windows LAPS

Before implementing the Windows LAPS in your Active Directory Domain, it’s crucial to understand the domain functional level and domain controller OS version requirements. If your domain is configured below the 2016 Domain Functional Level (DFL), you won’t be able to enable Windows LAPS password encryption. This means that clients can only be configured to store passwords in clear text, secured by Active Directory ACLs, and DCs can’t be configured to manage their local DSRM account. Once your domain reaches 2016 DFL, you can enable Windows LAPS password encryption.

However, if you’re still running any WS2016 DCs, those WS2016 DCs don’t support Windows LAPS and therefore can’t use the DSRM account management feature. It’s recommended to use supported operating systems older than WS2016 on your domain controllers as long as you’re aware of these limitations.

Read more from Microsoft- Get started with Windows LAPS and Windows Server Active Directory | Microsoft Learn

Step 1: Install the latest updates on your servers and workstations

To begin, ensure that your servers and workstations are running the latest Windows updates. You can do this through Windows Update or by using your organization’s update management system.

Maximizing Your Endpoint Security with Windows LAPS

Secure Your Endpoints and Reduce Risk with Windows LAPS. Let us show you how to effectively implement and manage it in your organization.
Call to Action

Step 2: Confirm LAPS PowerShell module installation

Next, you’ll want to verify if the LAPS PowerShell module is installed. To do this, follow these steps:

  1. Open PowerShell with administrative privileges
  2. In the PowerShell window, enter the following command:
				
					Get-Module -Name LAPS

				
			

If the LAPS PowerShell module is installed, you will see the module details.

 

Step 3: Update the Active Directory schema

With the LAPS PowerShell module installed, you can now update the Active Directory schema using the following command:

				
					Update-LapsADSchema -Verbose

				
			

Step 4: Verify the schema update

To confirm that the schema update was successful, enter the following command in the PowerShell window:

				
					Get-ADObject -SearchBase ((Get-ADRootDSE).SchemaNamingContext) -Filter * -Properties lDAPDisplayName | Where-Object { $PSITEM.lDAPDisplayName -eq "msLAPS-Password" -or $PSITEM.lDAPDisplayName -eq "msLAPS-EncryptedPassword" -or $PSITEM.lDAPDisplayName -eq "msLAPS-EncryptedPasswordHistory" -or  $PSITEM.lDAPDisplayName -eq "msLAPS-EncryptedDSRMPassword" -or  $PSITEM.lDAPDisplayName -eq "msLAPS-EncryptedDSRMPasswordHistory" -or  $PSITEM.lDAPDisplayName -eq "msLAPS-PasswordExpirationTime"}

				
			

If the schema update was successful, you should see the LAPS schema attributes in the output.

Here is the output from the Update-LapsADSchema PowerShell command:

Conclusion

After successfully updating the schema, you’re set to configure and roll out the evolved Microsoft LAPS, now known as Windows LAPS, across your organization. This updated version not only streamlines the management process but also fortifies the method of handling local administrator passwords. The result is a more secure and systematically organized IT infrastructure.

Leave a Reply

Contact me

If you’re interested in learning about How to Update the Windows Server Active Directory Schema for the Latest Version of Windows LAPS. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents