{"id":341,"date":"2026-04-01T11:18:31","date_gmt":"2026-04-01T10:18:31","guid":{"rendered":"https:\/\/overlaps.co.uk\/docs\/?page_id=341"},"modified":"2026-04-01T11:25:18","modified_gmt":"2026-04-01T10:25:18","slug":"active-directory-permissions-for-overlaps","status":"publish","type":"page","link":"https:\/\/overlaps.co.uk\/docs\/overlaps-documentation\/installation-and-configuration\/active-directory\/active-directory-permissions-for-overlaps\/","title":{"rendered":"Active Directory Permissions for LAPS"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\" id=\"introduction\">Introduction<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">OVERLAPS requires access to the LAPS attributes in Active Directory in order to function. This guide assumes you are already familiar with the relevant PowerShell scripts provided by Microsoft for managing this and that you have already configured your computer&#8217;s Self permission (so that computers have permission to write their passwords to Active Directory). For more information on this, see:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For Legacy LAPS, the <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=46899\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LAPS_OperationsGuide.docx<\/a><\/li>\n\n\n\n<li>For Windows LAPS, see <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/laps\/laps-management-powershell\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Use Windows LAPS PowerShell cmdlets<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-legacy-laps-permissions\">Microsoft Legacy LAPS Permissions<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In order to view and expire the Legacy LAPS managed Local Administrator passwords, OVERLAPS requires the following permissions in Active Directory to the Organizational Units (containers) in which the managed computers reside:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Read ms-McsAdmPwd\nRead ms-Mcs-AdmPwdExpirationTime\nWrite ms-Mcs-AdmPwdExpirationTime\n<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"legacy-permissions-setup\">Legacy Permissions Setup<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Configuring these permissions manually can lead to unexpected behaviour, so it is recommended to make use of the PowerShell scripts that come with Microsoft LAPS.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As OVERLAPS runs as Local System on the host server by default, you will need the server\u2019s computer account name to proceed unless you are using a designated Service Account (see <a href=\"https:\/\/overlaps.co.uk\/docs\/overlaps-documentation\/configuration\/settings\/active-directory\/\">Settings &#8211; Active Directory<\/a>). This should be the name of the server followed by a dollar sign ($), so if the server is called \u201c<strong>myoverlaps<\/strong>\u201d for example, the computer account name would be \u201c<strong>myoverlaps$<\/strong>\u201d.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Launch PowerShell using an account which has the necessary Active Directory modification permissions.<\/li>\n\n\n\n<li>Import the LAPS management module by typing: <code>Import-Module AdmPwd.PS<\/code><\/li>\n\n\n\n<li>Grant read permission to the Local Administrator password property with the command: <code>Set-AdmPwdReadPasswordPermission -OrgUnit &lt;Distinguished Name of the computer OU&gt; -AllowedPrincipals &lt;Account name&gt;<\/code><\/li>\n\n\n\n<li>Also grant write permission so that you can reset the password expiry time, forcing a reset when LAPS next runs on the client (on a Group Policy update): <code>Set-AdmPwdResetPasswordPermission -OrgUnit &lt;Distinguished Name of the computer OU&gt; -AllowedPrincipals &lt;Account name&gt;<\/code><\/li>\n\n\n\n<li>Restart the OVERLAPS service to make sure it picks up the new permissions.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">If everything went to plan, OVERLAPS will now be able to view and trigger a reset of the Local Administrator passwords. <strong>Be aware that, due to AD replication, the permissions may not apply immediately.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-windows-laps-permissions\">Microsoft Windows LAPS Permissions<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The new Windows LAPS (which is designed to completely supersede the old product and is now delivered by default to compatible devices) comes with a new set of extensions to the Active Directory Schema to store the new password details.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"358\" height=\"163\" src=\"https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/03\/attributes-set-by-windows-laps-inc-legacy.jpg\" alt=\"The Windows LAPS Active Directory Schema Additions\" class=\"wp-image-180\" srcset=\"https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/03\/attributes-set-by-windows-laps-inc-legacy.jpg 358w, https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/03\/attributes-set-by-windows-laps-inc-legacy-300x137.jpg 300w\" sizes=\"auto, (max-width: 358px) 100vw, 358px\" \/><figcaption class=\"wp-element-caption\">The Windows LAPS Active Directory Schema Additions<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Attribute<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>msLAPS-EncryptedDSRMPassword<\/td><td>If enabled, and the computer is a Domain Controller, then this will contain the encrypted DSRM password.<\/td><\/tr><tr><td>msLAPS-EncryptedDSRMPasswordHistory<\/td><td>History for the above.<\/td><\/tr><tr><td>msLAPS-EncryptedPassword<\/td><td>If encryption is enabled, the encrypted password data will be stored here. If you&#8217;re planning to decrypt this manually, watch out for the prepended header information in the encrypted data.<br><br>Once decrypted, this has the same JSON format as \u201cmsLAPS-Password\u201d.<\/td><\/tr><tr><td>msLAPS-EncryptedPasswordHistory<\/td><td>History for the above.<\/td><\/tr><tr><td>msLAPS-Password<\/td><td>The unencrypted password if encryption isn\u2019t enabled. This is stored in JSON format as shown in the example below:<br><br><em>{\u201cn\u201d:\u201dAdministrator\u201d,\u201dt\u201d:\u201d1d96ex2d53551ee\u201d,\u201dp\u201d:\u201dpassword\u201d}<\/em><br><br>Where \u201cn\u201d represents the account name, \u201ct\u201d is the timestamp when the password was updated (in hex format), and \u201cp\u201d is the password.<\/td><\/tr><tr><td>msLAPS-PasswordExpirationTime<\/td><td>This is the date and time that the password is set to expire. It is stored as a 64bit integer in Windows File Time format using UTC as the time zone, the same as legacy LAPS did.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"new-windows-laps-permissions-setup\">New Windows LAPS Permissions Setup<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Like the legacy LAPS, the new version comes with its own PowerShell module for managing permissions. To set them up for OVERLAPS, follow these steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Launch PowerShell using an account which has the necessary Active Directory modification permissions.<\/li>\n\n\n\n<li>Grant read permission to the Local Administrator password property with the command (<a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/laps\/set-lapsadreadpasswordpermission?view=windowsserver2022-ps\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">more info<\/a>): <code>Set-LapsADReadPasswordPermission -Identity &lt;Distinguished Name of the computer OU> -AllowedPrincipals &lt;Account name><\/code><\/li>\n\n\n\n<li>Also grant write permission so that you can reset the password expiry time, forcing a reset when LAPS next runs on the client (on a Group Policy update) (<a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/laps\/set-lapsadresetpasswordpermission?view=windowsserver2022-ps\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">more info<\/a>): <code>Set-LapsADResetPasswordPermission -Identity &lt;Distinguished Name of the computer OU> -AllowedPrincipals &lt;Account name><\/code><\/li>\n\n\n\n<li>Restart the OVERLAPS service to make sure it picks up the new permissions.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">As with the Legacy commands, if everything went to plan OVERLAPS will now be able to view and trigger a reset of the Local Administrator passwords. <strong>Be aware that, due to AD replication, the permissions may not apply immediately.<\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"reading-encrypted-passwords\">Reading Encrypted Passwords<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"576\" height=\"36\" src=\"https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/03\/laps-encryption-enabled.png\" alt=\"LAPS Password Encryption Enabled\" class=\"wp-image-182\" srcset=\"https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/03\/laps-encryption-enabled.png 576w, https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/03\/laps-encryption-enabled-300x19.png 300w\" sizes=\"auto, (max-width: 576px) 100vw, 576px\" \/><figcaption class=\"wp-element-caption\">LAPS Password Encryption Enabled<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If you have enabled Password Encryption in your Group Policy settings (Windows LAPS only), then in order to retrieve them using OVERLAPS it must be granted permission to do so.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is done by adding the OVERLAPS server to the policy:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Computer Configuration -> Policies -> Administrative Templates -> System -> LAPS -> Configure authorized password decryptors\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">As this policy only accepts a single user entity, it is best to create a group for this setting and add any users (or in this case the OVERLAPS server) to that group. <strong>Note, however, that when you change this setting or add a new user, that user will only be able to read passwords that have reset after you make this change<\/strong>, this is because when the encryption occurs it ties it to the current value of this setting.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"an-important-note-about-separate-service-accounts\">5.3.3.2.1 An Important Note About Separate Service Accounts<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">If you are using a Service Account in OVERLAPS instead of the default setup (see <a href=\"https:\/\/overlaps.co.uk\/docs\/overlaps-documentation\/configuration\/settings\/active-directory\/#active-directory-credentials\">Active Directory Credentials<\/a>) an important distinction needs to be made:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Active Directory Access Service Account<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This account, which is used to talk to AD, is the one that needs access to the LAPS attributes, <strong>it does not require permission to decrypt anything<\/strong>. This is the account that is used to get the encrypted passwords from AD.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Account the OVERLAPS Service Runs As<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is the account that needs to be in the Authorized Password Decryptors setting or group. It receives the encrypted password from the above account and then decrypts it in memory.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Account<\/th><th>Where it is Set<\/th><th>Example<\/th><th>What Permissions it Requires<\/th><\/tr><\/thead><tbody><tr><td>AD Service Account<\/td><td>Settings -&gt; Active Directory -&gt; Active Directory Credentials<\/td><td><em>Users\\overlaps_sa<\/em><\/td><td>Access to the LAPS Attributes in AD (read password, read\/write expiration time).<\/td><\/tr><tr><td>OVERLAPS Service Account<\/td><td>Services.msc -&gt; OVERLAPS -&gt; Log On<\/td><td><em>Servers\\overlapsserver$<\/em><\/td><td>Permission to decrypt LAPS passwords.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If you are not using separate AD credentials (as is the default), then this can be ignored.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"testing-the-laps-permissions\">Testing the LAPS Permissions<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">You can test your Active Directory permissions using the LAPS Debug tool within OVERLAPS. See the <a href=\"https:\/\/overlaps.co.uk\/docs\/overlaps-documentation\/configuration\/laps-debug\/\">LAPS Debug tool<\/a> for more information.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">OVERLAPS also includes a <a href=\"https:\/\/overlaps.co.uk\/docs\/overlaps-documentation\/additional-tools\/laps-check-tools\/\">pair of command line tools<\/a> for testing your LAPS permissions: \u201c<strong>lapscheck.exe<\/strong>\u201d and \u201c<strong>lapscheck_system.exe<\/strong>\u201d. Both allow you to specify the Distinguished Name of either a computer or Organizational Unit in Active Directory to check the LAPS setup.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201c<strong>lapscheck.exe<\/strong>\u201d also allows you to specify a username and password if you want to check the access of another AD account, while \u201c<strong>lapscheck_system.exe<\/strong>\u201d will attempt to check the access that the LOCAL SYSTEM account on the current computer has. The latter is useful for checking the access that OVERLAPS has as this is the account it runs as by default.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"984\" height=\"820\" src=\"https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/03\/permissions_lapscheck.png\" alt=\"Output of the LAPSCheck Tool\" class=\"wp-image-167\" srcset=\"https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/03\/permissions_lapscheck.png 984w, https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/03\/permissions_lapscheck-300x250.png 300w, https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/03\/permissions_lapscheck-768x640.png 768w\" sizes=\"auto, (max-width: 984px) 100vw, 984px\" \/><figcaption class=\"wp-element-caption\">Output of the LAPSCheck Tool<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The process followed and problems checked for are:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Connect to Active Directory and attempt to find the object identified by the provided Distinguished Name.<\/li>\n\n\n\n<li>Attempt to read schema information about the LAPS properties from Active Directory. If this fails then check that your LAPS installation was successful.<\/li>\n\n\n\n<li>Get the permissions on the object and search specifically for ones granting read\/write permission to the LAPS properties (ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime).<\/li>\n\n\n\n<li>Finally, if the distinguished name is for a computer, attempt to read the LAPS password itself and the expiration time.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">If you have any problems with this process, please get into contact with our Support Team for assistance (see <a href=\"https:\/\/overlaps.co.uk\/docs\/overlaps-documentation\/getting-support\/\">Contacting our Support Team<\/a>).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"multi-domain-permissions\">Multi-Domain Permissions<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In multi-domain environments, the LAPS permissions will need to be applied to each domain.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction OVERLAPS requires access to the LAPS attributes in Active Directory in order to function. This guide assumes you are already familiar with the relevant PowerShell scripts provided by Microsoft for managing this and that you have already configured your computer&#8217;s Self permission (so that computers have permission to write their passwords to Active Directory). [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":30,"menu_order":200,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-341","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/341","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/comments?post=341"}],"version-history":[{"count":3,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/341\/revisions"}],"predecessor-version":[{"id":352,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/341\/revisions\/352"}],"up":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/30"}],"wp:attachment":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/media?parent=341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}