Policy
Configure authorized password decryptors
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10
Configure this setting to control the specific user or group who is authorized to decrypt encrypted passwords. Configuring this setting has no effect unless password encryption has been enabled. If this setting is enabled, encrypted passwords will be decryptable by the specified group. If this setting is disabled or not configured, encrypted passwords will be decryptable by the Domain Admins group. This setting must be configured with either a domain-qualified name of a group or user, or a SID in string format. Valid examples include: contoso\LAPSAdmins lapsadmins@contoso.com S-1-5-21-2127521184-1604012920-1887927527-35197 Do not enclose the user\group name or SID in enclosing quotes or parentheses. The specified user or group must be resolvable by the managed device, otherwise passwords will not be backed up. NOTE: this setting is ignored when Directory Services Repair Mode (DSRM) account passwords are backed up on a domain controller. In that scenario, this setting always defaults to the Domain Admins group of the domain controller's domain. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Scope | Element | Type | Registry mapping | Constraints & behavior | Copy |
|---|---|---|---|---|---|
| Computer | Authorized password decryptor ID TEXT_ADPasswordEncryptionPrincipal | text | Path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value name ADPasswordEncryptionPrincipal Type REG_SZ | None |