Configuring LAPS for Samba-AD

LAPS is a password management solution for Windows machines that are members of an Active Directory domain.

Note

New Microsoft LAPS is supported natively starting from:

• Windows 10 – Version 22H2 with April 2023 cumulative updates (KB5025221 or later)

• Windows 11 – All versions with April 2023 cumulative updates

• Windows Server 2019 / 2022 / 2025 – With April 2023 cumulative updates or newer

No client installation is required anymore: Microsoft LAPS is built into the OS, including the PowerShell module.

Note

The following commands are run on the machine that holds the role FSMO Schema (use samba-tool fsmo show to find the right machine).

Attention

It may be interesting to make a backup of your AD before making schema changes. In addition, it is important to note that deleting a schema extension is not possible with Active Directory.

• Create a LDIF file with schema extension laps-1.ldif. You must replace the baseDN dc=mydomain,dc=lan with the DN of your domain:

  dn: CN=ms-LAPS-PasswordExpirationTime,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
  changetype: add
  objectClass: attributeSchema
  ldapDisplayName: msLAPS-PasswordExpirationTime
  adminDisplayName: msLAPS-PasswordExpirationTime
  adminDescription: Windows LAPS - time when the current password is scheduled to expire (UTC)
  attributeId: 1.2.840.113556.1.6.44.1.1
  attributeSyntax: 2.5.5.16
  omSyntax: 65
  isSingleValued: TRUE
  systemOnly: FALSE
  searchFlags: 0
  isMemberOfPartialAttributeSet: FALSE
  showInAdvancedViewOnly: FALSE
  
  dn: CN=ms-LAPS-Password,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
  changetype: add
  objectClass: attributeSchema
  ldapDisplayName: msLAPS-Password
  adminDisplayName: msLAPS-Password
  adminDescription: Windows LAPS - current local admin password (JSON string)
  attributeId: 1.2.840.113556.1.6.44.1.2
  attributeSyntax: 2.5.5.5
  omSyntax: 19
  isSingleValued: TRUE
  systemOnly: FALSE
  searchFlags: 904
  isMemberOfPartialAttributeSet: FALSE
  showInAdvancedViewOnly: FALSE
  
  dn: CN=ms-LAPS-EncryptedPassword,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
  changetype: add
  objectClass: attributeSchema
  ldapDisplayName: msLAPS-EncryptedPassword
  adminDisplayName: msLAPS-EncryptedPassword
  adminDescription: Windows LAPS - encrypted current local admin password
  attributeId: 1.2.840.113556.1.6.44.1.3
  attributeSyntax: 2.5.5.10
  omSyntax: 4
  isSingleValued: TRUE
  systemOnly: FALSE
  searchFlags: 904
  isMemberOfPartialAttributeSet: FALSE
  showInAdvancedViewOnly: FALSE
  attributeSecurityGUID: f3531ec6-6330-4f8e-8d39-7a671fbac605
  
  dn: CN=ms-LAPS-EncryptedPasswordHistory,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
  changetype: add
  objectClass: attributeSchema
  ldapDisplayName: msLAPS-EncryptedPasswordHistory
  adminDisplayName: msLAPS-EncryptedPasswordHistory
  adminDescription: Windows LAPS - encrypted local admin password history
  attributeId: 1.2.840.113556.1.6.44.1.4
  attributeSyntax: 2.5.5.10
  omSyntax: 4
  isSingleValued: FALSE
  systemOnly: FALSE
  searchFlags: 904
  isMemberOfPartialAttributeSet: FALSE
  showInAdvancedViewOnly: FALSE
  attributeSecurityGUID: f3531ec6-6330-4f8e-8d39-7a671fbac605
  
  dn: CN=ms-LAPS-EncryptedDSRMPassword,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
  changetype: add
  objectClass: attributeSchema
  ldapDisplayName: msLAPS-EncryptedDSRMPassword
  adminDisplayName: msLAPS-EncryptedDSRMPassword
  adminDescription: Windows LAPS - encrypted DSRM password
  attributeId: 1.2.840.113556.1.6.44.1.5
  attributeSyntax: 2.5.5.10
  omSyntax: 4
  isSingleValued: TRUE
  systemOnly: FALSE
  searchFlags: 904
  isMemberOfPartialAttributeSet: FALSE
  showInAdvancedViewOnly: FALSE
  attributeSecurityGUID: f3531ec6-6330-4f8e-8d39-7a671fbac605
  
  dn: CN=ms-LAPS-EncryptedDSRMPasswordHistory,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
  changetype: add
  objectClass: attributeSchema
  ldapDisplayName: msLAPS-EncryptedDSRMPasswordHistory
  adminDisplayName: msLAPS-EncryptedDSRMPasswordHistory
  adminDescription: Windows LAPS - encrypted DSRM password history
  attributeId: 1.2.840.113556.1.6.44.1.6
  attributeSyntax: 2.5.5.10
  omSyntax: 4
  isSingleValued: FALSE
  systemOnly: FALSE
  searchFlags: 904
  isMemberOfPartialAttributeSet: FALSE
  showInAdvancedViewOnly: FALSE
  attributeSecurityGUID: f3531ec6-6330-4f8e-8d39-7a671fbac605
  
  dn: CN=ms-LAPS-CurrentPasswordVersion,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
  changetype: add
  objectClass: attributeSchema
  ldapDisplayName: msLAPS-CurrentPasswordVersion
  adminDisplayName: msLAPS-CurrentPasswordVersion
  adminDescription: Windows LAPS - GUID of most recent persisted password
  attributeId: 1.2.840.113556.1.6.44.1.7
  attributeSyntax: 2.5.5.10
  omSyntax: 4
  isSingleValued: TRUE
  systemOnly: FALSE
  searchFlags: 904
  isMemberOfPartialAttributeSet: FALSE
  showInAdvancedViewOnly: FALSE
  rangeLower: 16
  rangeUpper: 16
  attributeSecurityGUID: f3531ec6-6330-4f8e-8d39-7a671fbac605
  
  dn: CN=ms-LAPS-Encrypted-Password-Attributes,CN=Extended-Rights,CN=Configuration,DC=mydomain,DC=lan
  changetype: add
  objectClass: controlAccessRight
  cn: ms-LAPS-Encrypted-Password-Attributes
  displayName: ms-LAPS-Encrypted-Password-Attributes
  rightsGuid: f3531ec6-6330-4f8e-8d39-7a671fbac605
  validAccesses: 48
  description: Windows LAPS - extended right for encrypted password attributes
  

• Create a file laps-2.ldif:

  dn: CN=Computer,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
  changetype: modify
  add: mayContain
  mayContain: msLAPS-PasswordExpirationTime
  mayContain: msLAPS-Password
  mayContain: msLAPS-EncryptedPassword
  mayContain: msLAPS-EncryptedPasswordHistory
  mayContain: msLAPS-EncryptedDSRMPassword
  mayContain: msLAPS-EncryptedDSRMPasswordHistory
  mayContain: msLAPS-CurrentPasswordVersion
  

• Start the integration of the two ldif files (this is done in two steps to force a commit after creating the attributes):

  ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-1.ldif
  ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-2.ldif
  

• Restart Samba-AD:

  systemctl restart samba
  

Changing administration rights for the correct operation of LAPS

Note

The commands below assume you are running on a Windows system that already supports the New Microsoft LAPS. No additional client installation is required: LAPS is now built directly into Windows 10/11 and Windows Server 2019/2022/2025, and the PowerShell module ships with the OS.

• Unlike Legacy LAPS, there is nothing to install locally anymore. The service, Group Policy settings, and the LAPS PowerShell module are included natively starting with the April 2023 updates (KB5025221 and later).

• To confirm that the module is available, simply run:

  Get-Command -Module LAPS
  Import-Module LAPS
  

• In a Powershell session with Domain Admin rights, issue the following command to add to the machines the right to change their Administrator password:

  Set-LapsADComputerSelfPermission -Identity "ou=machines,dc=mydomain,dc=lan"
  

• Add read rights to groups of Administrators to allow them to view the password:

  Set-LapsADReadPasswordPermission -Identity "ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals "mydomain\HelpDesk"
  

• Add rights to Administrator groups to reset the password expiration and force a first password change on the user Workstation:

  Set-LapsADResetPasswordPermission -Identity "ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals "mydomain\HelpDesk"
  

Hint

To view the rights on a OU, you can use the following command:

Find-LapsADExtendedRights -Identity "ou=machines,dc=mydomain,dc=lan" | Format-Table

Configuring the LAPS deployment GPO

Note

If you are using the PolicyDefinitions Admx store on your ActiveDirectory Sysvol share, then you may have to copy over the admx files that will be installed by the MSI installer: LAPS.admx and en-US\LAPS.adml.

• In the GPO management console, create a LAPS GPO (Computer Configuration -> Policies -> Administrative Templates -> System -> LAPS)

Attention

The Enable password encryption option must be set to Disabled. Password encryption is not supported in the current Samba AD implementation, and enabling it will prevent LAPS from functioning correctly.

• You should also ensure that Configure password backup directory is set to Active Directory for proper operation.

• Then configure the Password Settings according to your requirements.

• To finish the configuration, set Configure automatic account management depending on which account you want LAPS to handle:

  • Choose “Manage the built-in administrator account” if you want LAPS to manage the default local Administrator (the account with Well-Known RID 500).

  • Choose “Manage a custom administrator account” if you use another local admin account.

Validating that LAPS is working properly

• On the user workstation that is in the OU on which the LAPS GPO is applied, launch a security policy update with gpupdate /force;

• In the ADUC console, activate the advanced features and check that on the machine input the attributes msLAPS-Password and msLAPS-PasswordExpirationTime are correctly filled in

• Open Active Directory Users and Computers, go to the machine’s properties, then open the LAPS tab and verify that the password value can be retrieved.