Using ADUC to retrieve the LAPS password

Environment

Windows Platform as a Service

Local Administrator Password Solution

Each Windows Platform as a Service device is configured with a unique local administrator password. These passwords are periodically changed and stored in Active Directory using Microsoft’s Local Administrator Password Solution (LAPS). Windows Platform as a Service customers can use LAPS tools to retrieve the local administrator password of a device when needed.

 

  • The Local Administrator Password Solution (LAPS) can be accessed in 3 ways:

    • Contact Tier 3 in the #its-miworkspace-win-tier3 Slack channel

    • Open a Powershell window as your PaaS OUAdmin account.
      Run the following command:

      Get-LapsADPassword -Identity <computer name> -AsPlainText
    • Launch ADUC using your PaaS OUAdmin account on any Server OS version 2019 or newer, Win 10 22H2, or any Win 11 machine joined to the UMROOT domain.

      • The euc-admints02.adsroot.itcs.umich.edu terminal server, which can be accessed using your PaaS OUAdmin account, can be used for this purpose.

  • The LAPS content and functionality, which used to be in LAPS UI, is now available in the LAPS tab of the AD computer object properties.

screenshot of LAPS tab on computer object in ADUC