How to Update the Windows Server Active Directory Schema for the Latest Version of Windows LAPS

Microsoft has recently released a new version of Windows LAPS, making it even easier for organizations to manage local administrator passwords for their workstations and servers. With this update, you no longer need to download and install LAPS separately. Instead, the latest version comes integrated with the most recent Windows updates. In this blog post, we will guide you through the process of updating the Windows Server Active Directory schema to accommodate the latest version of Windows LAPS.

New Windows LAPS Schema Attributes

Step 1: Install the latest updates on your servers and workstations

To begin, ensure that your servers and workstations are running the latest Windows updates. You can do this through Windows Update or by using your organization's update management system.

Step 2: Confirm LAPS PowerShell module installation

Next, you'll want to verify if the LAPS PowerShell module is installed. To do this, follow these steps:

1. Open PowerShell with administrative privileges
2. In the PowerShell window, enter the following command:

Get-Module -Name LAPS

If the LAPS PowerShell module is installed, you will see the module details.

Step 3: Update the Active Directory schema

With the LAPS PowerShell module installed, you can now update the Active Directory schema using the following command:

Update-LapsADSchema -Verbose

Step 4: Verify the schema update

To confirm that the schema update was successful, enter the following command in the PowerShell window:

Get-ADObject -SearchBase ((Get-ADRootDSE).SchemaNamingContext) -Filter * -Properties lDAPDisplayName | Where-Object { $PSITEM.lDAPDisplayName -eq "msLAPS-Password" -or $PSITEM.lDAPDisplayName -eq "msLAPS-EncryptedPassword" -or $PSITEM.lDAPDisplayName -eq "msLAPS-EncryptedPasswordHistory" -or  $PSITEM.lDAPDisplayName -eq "msLAPS-EncryptedDSRMPassword" -or  $PSITEM.lDAPDisplayName -eq "msLAPS-EncryptedDSRMPasswordHistory" -or  $PSITEM.lDAPDisplayName -eq "msLAPS-PasswordExpirationTime"}

If the schema update was successful, you should see the LAPS schema attributes in the output.

Here is the output from the Update-LapsADSchema PowerShell command:

Conclusion

Once you have successfully updated the schema, you can proceed with configuring and deploying LAPS throughout your organization. The latest version of Windows LAPS simplifies the process and provides an efficient way to manage local administrator passwords, ensuring a secure and well-organized IT environment.