WebLAPS is a web-based solution for managing Microsoft Local Administrator Password Solution (LAPS). Below are some articles that have been previously shared with the community on Windows LAPS.
Also,
WebLAPS could be used to implement just-in-time administration (JITA) approach recommended by MS when accounts of system administrators are added to privileged groups for defined period of time and automatically removed after. Please refer to the official documentation for more information. Also, here is how to configure Windows LAPS with Microsoft Intune as well.
This article targets users that are still using the legacy Microsoft LAPS and not the Windows LAPS. Microsoft recommends that customers begin planning on how to migrate their Windows LAPS-capable systems from using legacy Microsoft LAPS. Microsoft LAPS product is deprecated as of Windows 11 23H2 and later. Installation of the legacy Microsoft LAPS MSI package is blocked on newer OS versions, and Microsoft will no longer consider code changes for the legacy Microsoft LAPS product. Microsoft will continue to support the legacy Microsoft LAPS product on older versions of Windows (prior to Windows 11 23 H2) on which it was previously supported. That support will end upon the normal End of Support for those OSes.
If you are using Windows LAPS already, I have got good news for you. You no longer need a 3rd party solution. Starting from Windows Admin Center v2401, you should be able to manage LAPS effortlessly.
Steps to Install WebLAPS on Windows
Please navigate to the following URL to download the required JAVA version. I will be downlöoading the Windows version as shown below
Kindly accept the license agreement. You will be prompted to sign-in. Enter your username and password when prompted and download.
WebLAPS Community Edition Download
Do not install WebLAPS on a DC in order not to increase the attack surface. Therefore, I will recommend installing the WebLAPS Pro solution on a member server. Use the following URL to download this application.
Since WebLAPS Pro follows a Java-based service model and requires Java Runtime Environment (JRE) 1.8 to function. We will be installing it as shown below.
Next, create a Local User for WebLAPS
Next, configure Log on as a service. This will allow user “laps” to work as a service:
Please expand “Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment”. Select “Log on as a service”.
Add the laps user created and click on OK.
Create the directory C:\laps as shown below.
Extract the WebLAPS distributive (installation package) into C:\laps
As you can see, the extraction was successful.
Modify the folder permissions. Search for “laps” and assign the “read & write” access. Please, deny access to all other users except administrators.
Verify or Create Environmental Variable. To do this, launch System Properties and click on “Environment Variable” under the Advanced Tab. As you can see below, we have the JAVA JRE Installation path.
Note: If the Java JRE is not added to the system environment variables (PATH). Running the following command in Command Prompt or PowerShell will result in an error
Verify the Java Path in Configuration
The official documentation specified this step as an optional step if you have the JRE Installation path in the environment variable. However, this was not the case for me as the service did not start.
If Java is not in the system PATH, WebLAPS might not find it and start correctly. To fix this, get the path. Change it to the full path to java.exe, using / instead of \ as discussed in the official guide.
WebLAPS Service
You must run this command with Administrative rights. Otherwise, it will fail with the following (Error in PenSCManager: 5″ Access Denied). To do this, open the Command Prompt (Admin) and navigate to the WebLAPS folder and run the installation script
As you can see below, the script succeeded and the service is running.
We will need to create a service account (LAPSAdmin) to authenticate WebLAPS to read LAPS passwords from Active Directory. Next, we will grant LAPS Read Permission
Launch WebLAPS in Browser
Open the browser and navigate to the URL shown in the image below. This might be different in your case.
Note: Ignore the certificate warning, accept it (since WebLAPS uses a self-signed certificate by default)
To allow WebLAPS to manage LAPS passwords stored in Active Directory, we need to integrate WebLAPS with Active Directory (AD).
To do this, click on Administration, Communications and LDAP as shown below. Enter the AD server details accordingly and save the settings
Now WebLAPS should be fully functional. Try retrieving a LAPS password as shown below.
For other recommended settings for WebLAPS and detailed steps. Please take a look at this blogpost.
Retrieve Windows LAPS via WACmg
In the next guide, I will be showing the steps to securely manage Windows LAPS via Windows Admin Center Modern Gateway 2401.
You can use Windows LAPS to manage your passwords on your LAPS enabled machines within the domain. With this tool, you can reveal and copy passwords of a given machine. View the corresponding password expiration time and update time stamp.
Not only that, you can set the expiration time and reset passwords for multiple machines at a time, making password management and authentication more secure, simpler, and efficient.
