When the Local Administrator Password Solution (LAPS) fails

Managing local Administrator passwords has notoriously been a headache, though the Microsoft Local Administrator Password Solution was designed to make the management of these passwords a lot less painful.

One of the quirks of the solution, is that is stores each local Administrator password in the computer’s Active Directory object under the ms-mcs-admpwd attribute in plain text.  The attribute is then locked down using ACLs – which is important, because, by default, all Domain Users can read all attributes.

More info here:



Where LAPS can fail, is if the ACL does not get set correctly (for whatever reason). The attribute that holds the password is then open for *anyone* to read.

Recently, using a standard Domain User account, I simply searched for any computer object where the ms-mcs-admpwd attribute is not null (hence, readable), and revealed that some local Administrator passwords were unsecured, and in plain text for all to see.

I haven’t yet looked into how this happened, but I found more than one password clearly visible (obfuscated here, obviously):


So, if you have LAPS deployed, then I would highly recommend that you run a regularly scheduled check with a standard domain user account.

If this returns 0 results, then you’re good.


3 Comments When the Local Administrator Password Solution (LAPS) fails

  1. Matt Hitchcock


    Do you have the permissions set correctly as per the public implementation guide and you are not a member of Domain Admins etc.?

    1. Kamal

      This was on Infrastructure that I didn’t build, myself, so I’m not sure how it came to be this way. It’s obviously fixed now – though a little concerning that I could walk into “company X” with a standard Domain User account and find these passwords open for all to see. There were 2 passwords visible, out of around 400 server/computer objects with LAPS.
      Very, very odd.

  2. Mateusz

    Check who was an owner of AD computer object. Owners can read all attributes by default.
    Also if You delegate adding computers to an scm / wds account – by default it will have rights to see all passwords od created computers as well.


Leave a Reply

Your email address will not be published. Required fields are marked *