Dunlap & Kyle Tech Support

Version: 1.0

Date: 2025-04-03

Audience: IT Helpdesk Technicians

TABLE OF CONTENTS

• Introduction
• Prerequisites
• Required Tools
• Installation Procedure
  • Method A: Using Windows Settings (GUI)
  • Method B: Using PowerShell (Command Line)
• Verification
• How to View a LAPS Password
  • Method A: Using Active Directory Users and Computers (ADUC)
  • Method B: Using PowerShell
• Troubleshooting Common Issues
• Security Considerations
• Support

Introduction

Our organization is implementing the modern Windows Local Administrator Password Solution (LAPS). This security feature automatically manages and backs up the password for the built-in local administrator account on domain-joined Windows computers to Active Directory.

This document outlines the steps required on your own Helpdesk workstation to install the necessary management tools. These tools will allow you to view the LAPS-managed password for a specific computer when required for troubleshooting or administrative tasks, provided you have been granted the appropriate permissions.

IMPORTANT: This guide covers the tools for the new, built-in Windows LAPS, integrated with recent versions of Windows 10/11 and Windows Server. It does not apply to the older, legacy LAPS which required a separate MSI installation.

Prerequisites

Before you begin the installation, please ensure the following conditions are met:

• Your Workstation OS:You must be using a supported version of Windows 10 or Windows 11 (Pro, Enterprise, or Education editions).
  • Windows 11 23H2 and later
  • Windows 11 22H2 - April 11 2023 Update and later
  • Windows 11 21H2 - April 11 2023 Update and later
  • Windows 10 - April 11 2023 Update and later
• Administrative Rights: You need local administrator privileges on your own workstation to install Windows features.
• Domain Membership: Your workstation must be joined to the dktire.com domain.
• Permissions: The Infrastructure team must have already granted your user account (or a group you belong to) the necessary permissions in Active Directory to read the LAPS password attributes on the target computer objects or the Organizational Unit (OU) they reside in. Installing the tools without having the correct permissions will NOT allow you to see the passwords.
• LAPS Deployment: The Windows LAPS policy must already be configured and deployed to the target endpoints by the responsible IT team (e.g., Server/AD Administrators). You are only installing the viewing tools.

Required Tools

To view Windows LAPS passwords stored in Active Directory, you primarily need the Remote Server Administration Tools (RSAT), specifically the "Active Directory Domain Services Tools". These tools include:

• Active Directory Users and Computers (ADUC) snap-in: The latest versions include a built-in "LAPS" tab within the computer object properties window.
• Windows LAPS PowerShell Module: This module contains cmdlets like Get-LapsADPassword which allow retrieving passwords via script or the command line.

IMPORTANT: If you have an old version of the RSAT tools already installed, do not assume it will work with the new Windows Local Administrator Password solution, it will not. It must be from the Windows 10 April 11 2023 Update SDK or later. In earlier versions of RSAT, the LAPs tab in ADUC will be missing.

Installation Procedure

You can install the necessary RSAT components using either the Windows Settings GUI or PowerShell. Please choose one method.

Method A: Using Windows Settings (GUI)

1. Open Settings: Right-click the Start button and select "Settings".
2. Navigate to Optional Features:
   • Windows 11: Go to System -> Optional features.
   • Windows 10: Go to Apps -> Apps & features -> Optional features.
3. Add a Feature:
   • Windows 11: Click the "View features" button next to "Add an optional feature".
   • Windows 10: Click "Add a feature".
4. Search and Select: In the search box that appears, type RSAT. Find and place a checkmark next to "RSAT: Active Directory Domain Services and Lightweight Directory Services Tools".
5. Install: Click "Next" (if applicable on your Windows version) and then click "Install".
6. Wait: The feature will download and install. This process may take several minutes depending on your internet connection.
7. Reboot (Recommended): Although not always strictly required, restarting your computer after the installation completes is highly recommended to ensure all tools are properly registered and available.

Method B: Using PowerShell (Command Line)

1. Open PowerShell as Administrator: Right-click the Start button, select "Windows PowerShell (Admin)" or "Windows Terminal (Admin)". Accept the User Account Control (UAC) prompt if it appears.
2. Run Installation Command:Copy and paste the following command exactly into the PowerShell window and press Enter:

   Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

   
   

   
   
3. Wait: The command will execute, downloading and installing the feature. You will see a progress bar in the PowerShell window. This may take several minutes.
4. Verify Installation (Optional):After the command completes, you can check if the feature is installed by running:

   Get-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 | Select-Object -Property Name, State

   
    The State should show as Installed.

   
   
5. Reboot (Recommended): Restart your computer to ensure the tools are fully integrated and ready for use.

Verification

After installation and rebooting your workstation, perform these checks to confirm the tools are ready:

1. Check ADUC:
   • Open "Active Directory Users and Computers". You can do this by typing dsa.msc in the Start menu search or Run dialog (Win+R) and pressing Enter.
   • Navigate to the "Computers" Organizational Unit (OU).
   • Find a specific computer object within that OU, right-click it, and choose "Properties".
   • Look for a "LAPS" tab in the Properties window. If this tab exists, the ADUC component has been installed correctly. (Note: You will only see the actual password here if you have the necessary AD permissions).
2. Check PowerShell Module:
   • Open a standard (non-Admin) PowerShell window.
   • Run the command: 

     • Get-Command -Module LAPS

   • You should see several commands listed, importantly including Get-LapsADPassword. This confirms the LAPS PowerShell module is available.

How to View a LAPS Password

Once the tools are installed and you have confirmed you have the necessary permissions from the AD team, you can view passwords using these methods:

Method A: Using Active Directory Users and Computers (ADUC)

1. Open ADUC (dsa.msc).
2. Navigate to and locate the computer object for which you need the local administrator password.
3. Right-click the computer object and select "Properties".
4. Click on the "LAPS" tab.
5. The current "Password" and its "Password Expiration Time" will be displayed.
   • Security Note: Treat this password with extreme care. Copy it securely (e.g., directly into a connection prompt or password manager) and avoid storing it insecurely (like in plain text files or emails).

Method B: Using PowerShell

1. Open Windows PowerShell (does not need to be run as Administrator for viewing).
2. Run the following command, replacing "TargetComputerName" with the actual hostname (NetBIOS name) of the computer you need the password for:

   Get-LapsADPassword -Identity "TargetComputerName"

   
   

   
   
3. If you have the correct permissions, the command will output the Password and PasswordExpirationTimestamp.
   • Example Output:
     Password PasswordExpirationTimestamp
     -------- ---------------------------
     P@$$wOrd!Complex789 4/10/2025 3:29:00 PM
     
      
   • Security Note: Handle the retrieved password securely, as mentioned above.

Troubleshooting Common Issues

• "LAPS" Tab is Missing in ADUC Properties:
  • Cause: RSAT AD DS Tools may not be installed correctly, or the installation requires a reboot.
  • Solution: Verify the feature shows as "Installed" using the methods in Section 5. Reboot your workstation if you haven't already. Ensure you installed "RSAT: Active Directory Domain Services..." and not a different RSAT component. If you had very old RSAT tools previously, consider uninstalling them fully and reinstalling the current version.
• Get-LapsADPassword Cmdlet Not Found in PowerShell:
  • Cause: The LAPS PowerShell module didn't register correctly, or the RSAT tools aren't fully installed.
  • Solution:Ensure the RSAT AD DS Tools feature installed successfully. Try running

  • Import-Module LAPS -Force

  • Reboot your workstation.
• Cannot See Password / Access Denied / Password Field is Blank:
  • Cause: This is almost always a permissions issue within Active Directory. The tools are installed correctly, but your user account has not been granted the specific permission (ms-LAPS-ReadPassword or similar, depending on configuration) to read the LAPS password attribute for that computer object or its parent OU.
  • Solution:Do not attempt to modify permissions yourself. Contact the Infrastructure team to verify and, if appropriate, grant the necessary permissions to your account or a group you are in.
• Retrieved Password Doesn't Work:

  • Cause: Could be several things: targeting the wrong computer, password rotation occurred after retrieval, the device was restored from a backup/snapshot, or LAPS isn't functioning correctly on the target endpoint.

  • Solution:

    1. Double-check you are targeting the correct computer name.

    2. Retrieve the current password again using ADUC or PowerShell (Get-LapsADPassword -Identity "ComputerName") to ensure you have the absolute latest one. Try this password first.

    3. If the current password fails, and you know the device may have been recently restored from a snapshot or backup: Our environment has LAPS password history enabled. Try retrieving the previous password using PowerShell. Run the following command, replacing "TargetComputerName":

       Get-LapsADPassword -Identity "TargetComputerName" -Version 1
       
       

       This command retrieves the most recent previous password (version 1). Try logging in with this password.

    4. If neither the current nor the previous password works, the issue may lie with the LAPS client on the target machine (e.g., it cannot reach a Domain Controller to update/verify its password). Escalate the incident for further investigation on the target device.

Security Considerations

• Confidentiality: The local administrator password grants significant privileges. Treat it as highly sensitive information.
• Need-to-Know Basis: Only retrieve a LAPS password when it is essential for a specific, authorized administrative or troubleshooting task.
• Secure Handling: Never write down retrieved passwords on paper, send them via email/chat, or store them in unsecured locations. Use them immediately for the task at hand.
• Auditing: Be aware that viewing LAPS passwords is an audited action by default.

Support

• For issues installing the RSAT tools on your workstation, contact the Infrastructure team.
• For issues related to permissions (i.e., you have the tools installed but cannot see passwords), contact the Infrastructure team.
• For issues where a retrieved password doesn't work, first try retrieving it again. If problems persist, escalate the incident, to the Helpdesk Supervisor.