Microsoft LAPS and Windows LAPS Accounts
12Port supports the use of LAPS Accounts (either Microsoft or Windows LAPS) to execute PowerShell scripts remotely on domain joined Windows hosts. This allows the application to manage systems, publish policies, automate tasks, and interact with the Windows environment securely and efficiently without requiring the hard-coded LAPS password.
Local Administrator Password Solution (LAPS) provides a secure method for managing local administrator account passwords on Windows devices. Our software supports task execution using LAPS-enabled accounts, leveraging both the legacy Microsoft LAPS and the newer Windows LAPS (introduced in Windows 11 and Windows Server 2022). By using LAPS, passwords for local admin accounts are automatically rotated and securely stored in Active Directory, reducing the risk of lateral movement and credential reuse in your environment. When configured properly, these accounts can be retrieved and used securely for remote task execution without exposing static credentials.
Note
12Port requires an Active Directory connection to read the LAPS password from the Active Directory where those are stored. This Service User in this Active Directory integration also requires specific permission in Active Directory to read the password from the AD attribute where it is stored.
With Microsoft LAPS, this means it requires Read permission to the AD attribute ms-Mcs-AdmPwd.
With Windows LAPS, this means it requires Read permission to the AD attribute msLAPS-Password.
Microsoft LAPS Accounts
12Port can use a Microsoft LAPS local account with Windows Host assets with the authentication method, supplied Host, LAPS Username and no required Password requirement. To create an asset that supports gMSA accounts use the following for guidance:
- Host: Define the Host of the supported target Windows asset where the LAPS account can be used for connection and execution of remote tasks. Hostname must be defined as the domain computer name, not by its IP address, as the LAPS password is stored in Active Directory under this Computer-Object.
- Username: Define the LAPS account in the following format:
MS-LAPS :: AD-Configuration-Name :: LAPS-NameMS-LAPSinstructs 12Port to use the temporary Microsoft LAPS password instead of any that is supplied in the Password field.::is used a separator in the Username string. Note that there is a single leading space character, followed by two colon characters, followed by a single trailing space character.AD-Configuration-Nameis used to define the Active Directory configuration 12Port will connect with to retrieve the LAPS account password. The AD Configuration Name is that which is defined on the Active Directory Configuration page in the Name parameter. Note that by default, LAPS passwords can only be read by Active Directory accounts that have been specifically configured to allow. This connection may have its Direct Login disabled.::is used a separator in the Username string. Note that there is a single leading space character, followed by two colon characters, followed by a single trailing space character.LAPS-Nameis the name of the Microsoft LAPS account name in local format likeComputerName\LAPS-Name.
- Password: leave the password field empty. Otherwise any value entered, will be ignored for this purpose.
LAPS accounts have the same remote task execution requirements (WinRM) as any other account types, so be sure that they have membership in the target server's local Administrator and/or Remote Management Users group. UAC may be need to be disabled on the target server for this LAPS account to successfully execute remote tasks.
Windows LAPS Accounts
12Port can use a Windows LAPS local account with Windows Host assets with the authentication method, supplied Host, LAPS Username and no required Password requirement. To create an asset that supports gMSA accounts use the following for guidance:
- Host: Define the Host of the supported target Windows asset where the LAPS account can be used for connection and execution of remote tasks. Hostname must be defined as the domain computer name, not by its IP address, as the LAPS password is stored in Active Directory under this Computer-Object.
- Username: Define the LAPS account in the following format:
WIN-LAPS :: AD-Configuration-Name :: LAPS-NameWIN-LAPSinstructs 12Port to use the temporary Windows LAPS password instead of any that is supplied in the Password field.::is used a separator in the Username string. Note that there is a single leading space character, followed by two colon characters, followed by a single trailing space character.AD-Configuration-Nameis used to define the Active Directory configuration 12Port will connect with to retrieve the LAPS account password. The AD Configuration Name is that which is defined on the Active Directory Configuration page in the Name parameter. Note that by default, LAPS passwords can only be read by Active Directory accounts that have been specifically configured to allow. This connection may have its Direct Login disabled.::is used a separator in the Username string. Note that there is a single leading space character, followed by two colon characters, followed by a single trailing space character.LAPS-Nameis the name of the Windows LAPS account name in local format likeComputerName\LAPS-Name.
- Password: leave the password field empty. Otherwise any value entered, will be ignored for this purpose.
LAPS accounts have the same remote task execution requirements (WinRM) as any other account types, so be sure that they have membership in the target server's local Administrator and/or Remote Management Users group. UAC may be need to be disabled on the target server for this LAPS account to successfully execute remote tasks.
Note
Windows LAPS optionally supports storing encrypted passwords. 12Port does not currently support the retrieval and decryption of these LAPS encrypted passwords. Please contact Support for more information if you are using Windows LAPS encrypted passwords.
