Why this module exists. Before LAPS, the canonical AD post-exploitation move was: dump the local Administrator hash from any workstation, then Pass-the-Hash to every other workstation in the estate. LAPS killed that move by making each machine’s password independent. But LAPS adoption is incomplete in Indian enterprises (typically 60-80% coverage in audits) and the ACLs around the LAPS attribute are routinely misconfigured. This module is the practical guide.
What LAPS actually is — two generations
“LAPS” today means two related but distinct products:
- Legacy LAPS (originally released 2015): client-side .msi installed on each managed machine; the password is stored in clear text in the
ms-Mcs-AdmPwdattribute on the computer object. ACLs on that attribute control who can read. - Windows LAPS (built into Windows 10/11 and Server 2019+ since April 2023 KB): client-side functionality baked into the OS; password stored encrypted (DPAPI-NG with a designated decryptor) in
msLAPS-EncryptedPassword, optionally with password history inmsLAPS-EncryptedPasswordHistory.
Many estates run a hybrid for ~2 years during migration. Hybrid estates are the highest-risk because admins forget the legacy attributes still exist on older machines.
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.