.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Configuring LAPS for Samba-AD
  :keywords: Security, Samba-AD, documentation, LAPS

.. _samba_configure_laps:

#############################
Configuring LAPS for Samba-AD
#############################

:abbr:`LAPS (Local Admin Password Solution)` is a password management solution for Windows machines that are members of an Active Directory domain.

.. note::

   **New Microsoft LAPS is supported natively starting from:**

   * **Windows 10** – Version **22H2** with April 2023 cumulative updates (KB5025221 or later)
   * **Windows 11** – All versions with April 2023 cumulative updates
   * **Windows Server 2019 / 2022 / 2025** – With April 2023 cumulative updates or newer

   No client installation is required anymore: **Microsoft LAPS is built into the OS**, including the PowerShell module.


.. note::

  The following commands are run on the machine that holds the role *FSMO Schema* (use ``samba-tool fsmo show`` to find the right machine).

.. attention::

  It may be interesting to make a backup of your AD before making schema changes.
  In addition, it is important to note that deleting a schema extension is not possible with Active Directory.

* Create a :abbr:`LDIF (LDAP Data Interchange Format)` file with schema extension ``laps-1.ldif``.
  You must replace the baseDN ``dc=mydomain,dc=lan`` with the :abbr:`DN (Distinguished Name)` of your domain:

  .. code-block:: ini

    dn: CN=ms-LAPS-PasswordExpirationTime,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
    changetype: add
    objectClass: attributeSchema
    ldapDisplayName: msLAPS-PasswordExpirationTime
    adminDisplayName: msLAPS-PasswordExpirationTime
    adminDescription: Windows LAPS - time when the current password is scheduled to expire (UTC)
    attributeId: 1.2.840.113556.1.6.44.1.1
    attributeSyntax: 2.5.5.16
    omSyntax: 65
    isSingleValued: TRUE
    systemOnly: FALSE
    searchFlags: 0
    isMemberOfPartialAttributeSet: FALSE
    showInAdvancedViewOnly: FALSE

    dn: CN=ms-LAPS-Password,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
    changetype: add
    objectClass: attributeSchema
    ldapDisplayName: msLAPS-Password
    adminDisplayName: msLAPS-Password
    adminDescription: Windows LAPS - current local admin password (JSON string)
    attributeId: 1.2.840.113556.1.6.44.1.2
    attributeSyntax: 2.5.5.5
    omSyntax: 19
    isSingleValued: TRUE
    systemOnly: FALSE
    searchFlags: 904
    isMemberOfPartialAttributeSet: FALSE
    showInAdvancedViewOnly: FALSE

    dn: CN=ms-LAPS-EncryptedPassword,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
    changetype: add
    objectClass: attributeSchema
    ldapDisplayName: msLAPS-EncryptedPassword
    adminDisplayName: msLAPS-EncryptedPassword
    adminDescription: Windows LAPS - encrypted current local admin password
    attributeId: 1.2.840.113556.1.6.44.1.3
    attributeSyntax: 2.5.5.10
    omSyntax: 4
    isSingleValued: TRUE
    systemOnly: FALSE
    searchFlags: 904
    isMemberOfPartialAttributeSet: FALSE
    showInAdvancedViewOnly: FALSE
    attributeSecurityGUID: f3531ec6-6330-4f8e-8d39-7a671fbac605

    dn: CN=ms-LAPS-EncryptedPasswordHistory,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
    changetype: add
    objectClass: attributeSchema
    ldapDisplayName: msLAPS-EncryptedPasswordHistory
    adminDisplayName: msLAPS-EncryptedPasswordHistory
    adminDescription: Windows LAPS - encrypted local admin password history
    attributeId: 1.2.840.113556.1.6.44.1.4
    attributeSyntax: 2.5.5.10
    omSyntax: 4
    isSingleValued: FALSE
    systemOnly: FALSE
    searchFlags: 904
    isMemberOfPartialAttributeSet: FALSE
    showInAdvancedViewOnly: FALSE
    attributeSecurityGUID: f3531ec6-6330-4f8e-8d39-7a671fbac605

    dn: CN=ms-LAPS-EncryptedDSRMPassword,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
    changetype: add
    objectClass: attributeSchema
    ldapDisplayName: msLAPS-EncryptedDSRMPassword
    adminDisplayName: msLAPS-EncryptedDSRMPassword
    adminDescription: Windows LAPS - encrypted DSRM password
    attributeId: 1.2.840.113556.1.6.44.1.5
    attributeSyntax: 2.5.5.10
    omSyntax: 4
    isSingleValued: TRUE
    systemOnly: FALSE
    searchFlags: 904
    isMemberOfPartialAttributeSet: FALSE
    showInAdvancedViewOnly: FALSE
    attributeSecurityGUID: f3531ec6-6330-4f8e-8d39-7a671fbac605

    dn: CN=ms-LAPS-EncryptedDSRMPasswordHistory,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
    changetype: add
    objectClass: attributeSchema
    ldapDisplayName: msLAPS-EncryptedDSRMPasswordHistory
    adminDisplayName: msLAPS-EncryptedDSRMPasswordHistory
    adminDescription: Windows LAPS - encrypted DSRM password history
    attributeId: 1.2.840.113556.1.6.44.1.6
    attributeSyntax: 2.5.5.10
    omSyntax: 4
    isSingleValued: FALSE
    systemOnly: FALSE
    searchFlags: 904
    isMemberOfPartialAttributeSet: FALSE
    showInAdvancedViewOnly: FALSE
    attributeSecurityGUID: f3531ec6-6330-4f8e-8d39-7a671fbac605

    dn: CN=ms-LAPS-CurrentPasswordVersion,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
    changetype: add
    objectClass: attributeSchema
    ldapDisplayName: msLAPS-CurrentPasswordVersion
    adminDisplayName: msLAPS-CurrentPasswordVersion
    adminDescription: Windows LAPS - GUID of most recent persisted password
    attributeId: 1.2.840.113556.1.6.44.1.7
    attributeSyntax: 2.5.5.10
    omSyntax: 4
    isSingleValued: TRUE
    systemOnly: FALSE
    searchFlags: 904
    isMemberOfPartialAttributeSet: FALSE
    showInAdvancedViewOnly: FALSE
    rangeLower: 16
    rangeUpper: 16
    attributeSecurityGUID: f3531ec6-6330-4f8e-8d39-7a671fbac605

    dn: CN=ms-LAPS-Encrypted-Password-Attributes,CN=Extended-Rights,CN=Configuration,DC=mydomain,DC=lan
    changetype: add
    objectClass: controlAccessRight
    cn: ms-LAPS-Encrypted-Password-Attributes
    displayName: ms-LAPS-Encrypted-Password-Attributes
    rightsGuid: f3531ec6-6330-4f8e-8d39-7a671fbac605
    validAccesses: 48
    description: Windows LAPS - extended right for encrypted password attributes

* Create a file ``laps-2.ldif``:

  .. code-block:: ini

    dn: CN=Computer,CN=Schema,CN=Configuration,DC=mydomain,DC=lan
    changetype: modify
    add: mayContain
    mayContain: msLAPS-PasswordExpirationTime
    mayContain: msLAPS-Password
    mayContain: msLAPS-EncryptedPassword
    mayContain: msLAPS-EncryptedPasswordHistory
    mayContain: msLAPS-EncryptedDSRMPassword
    mayContain: msLAPS-EncryptedDSRMPasswordHistory
    mayContain: msLAPS-CurrentPasswordVersion

* Start the integration of the two :file:`ldif` files (this is done in two steps to force a *commit* after creating the attributes):

  .. code-block:: bash

    ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-1.ldif
    ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed"=true laps-2.ldif

* Restart Samba-AD:

  .. code-block:: bash

    systemctl restart samba

****************************************************************
Changing administration rights for the correct operation of LAPS
****************************************************************

.. note::

  The commands below assume you are running on a Windows system that **already supports the New Microsoft LAPS**.  
  No additional client installation is required: **LAPS is now built directly into Windows 10/11 and Windows Server 2019/2022/2025**, and the PowerShell module ships with the OS.

* Unlike *Legacy LAPS*, **there is nothing to install locally anymore**.  
  The service, Group Policy settings, and the **LAPS** PowerShell module are included natively starting with the **April 2023 updates (KB5025221 and later)**.

* To confirm that the module is available, simply run:

  .. code-block:: powershell

    Get-Command -Module LAPS
    Import-Module LAPS

* In a Powershell session with *Domain Admin* rights, issue the following command to add to the machines the right to change their *Administrator* password:

  .. code-block:: powershell

    Set-LapsADComputerSelfPermission -Identity "ou=machines,dc=mydomain,dc=lan"

* Add read rights to groups of Administrators to allow them to view the password:

  .. code-block:: powershell

    Set-LapsADReadPasswordPermission -Identity "ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals "mydomain\HelpDesk"

* Add rights to Administrator groups to reset the password expiration and force a first password change on the user Workstation:

  .. code-block:: powershell

    Set-LapsADResetPasswordPermission -Identity "ou=machines,dc=mydomain,dc=lan" -AllowedPrincipals "mydomain\HelpDesk"

.. hint::

  To view the rights on a :abbr:`OU (Organizational Unit)`, you can use the following command:

  .. code-block:: powershell

    Find-LapsADExtendedRights -Identity "ou=machines,dc=mydomain,dc=lan" | Format-Table

***********************************
Configuring the LAPS deployment GPO
***********************************

.. note::

   If you are using the **PolicyDefinitions** Admx store on your ActiveDirectory **Sysvol** share, then you may have to copy over the admx files that will be installed by the MSI installer: ``LAPS.admx`` and ``en-US\LAPS.adml``.

* In the GPO management console, create a LAPS GPO (``Computer Configuration -> Policies -> Administrative Templates -> System -> LAPS``)

.. attention::

    The **Enable password encryption** option must be set to **Disabled**.
    Password encryption is not supported in the current Samba AD implementation, and enabling it will prevent LAPS from functioning correctly.

* You should also ensure that **Configure password backup directory** is set to **Active Directory** for proper operation.

* Then configure the **Password Settings** according to your requirements.

* To finish the configuration, set **Configure automatic account management** depending on which account you want LAPS to handle:

  * Choose **"Manage the built-in administrator account"** if you want LAPS to manage the default local Administrator (the account with *Well-Known RID* **500**).
  * Choose **"Manage a custom administrator account"** if you use another local admin account.


****************************************
Validating that LAPS is working properly
****************************************

* On the user workstation that is in the :abbr:`OU (Organizational Unit)` on which the LAPS GPO is applied, launch a security policy update with ``gpupdate /force``;

* In the :abbr:`ADUC (Active Directory Users and Computers)` console, activate the advanced features and check that on the machine input the attributes ``msLAPS-Password`` and ``msLAPS-PasswordExpirationTime`` are correctly filled in

* Open **Active Directory Users and Computers**, go to the machine's properties, then open the **LAPS** tab and verify that the password value can be retrieved.