Policy
Configure automatic account management
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10
This policy configures automatic account management policy options. Specify the target account to manage: specifies whether the built-in admin account or a custom account should be managed. Automatic account name (or name prefix): specifies the name, or name prefix, to use for the managed account. If this policy setting is configured, Windows LAPS will use it as the account name or name prefix for the target account. If this policy setting is not configured, Windows LAPS will use "WLapsAdmin" as the account name or name prefix. Note: this name is treated as a prefix when account name randomization is configured, see comments below. Enable the managed account: specifies whether the managed account should be enabled or not. If this policy setting is configured, Windows LAPS will enable the specified managed account. If this policy setting is not configured, Windows LAPS will disable the specified managed account. Note: Windows LAPS will regularly maintain and rotate the password of the managed account regardless of whether the account is maintained in an enabled\disabled status. Randomize the name of the managed account: specifies whether the name of the managed account should be randomized with a random numeric suffix. If this policy setting is configured, Windows LAPS will add an eight digit random numeric suffix to the managed automatic account name, and will re-randomize the name of the managed account every time the password is rotated. If this policy setting is not configured, Windows LAPS will use the managed automatic account name as configured. If the managed automatic account name prefix is configured, Windows LAPS will use up to the first twelve (12) characters of that name as a prefix for the random name. If the managed automatic account name is not configured, Windows LAPS will use "WLapsAdmin" as the name prefix. Note: the DSRM account on domain controllers cannot be configured for automatic account management. This policy has no effect on domain controllers and will be ignored even if configured for a DC. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
Registry values
How enabled and disabled states update the registry.
| Scope | Registry location | Type | Enabled value | Disabled value | Copy |
|---|---|---|---|---|---|
| Computer | Path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value name AutomaticAccountManagementEnabled | REG_DWORD | HKLM 1 | HKLM 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Scope | Element | Type | Registry mapping | Constraints & behavior | Copy |
|---|---|---|---|---|---|
| Computer | Automatic account name (or name prefix): ID LAPS_AutomaticAccountManagementNameOrPrefix | text | Path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value name AutomaticAccountManagementNameOrPrefix Type REG_SZ | None | |
| Computer | Specify the target account to manage: ID LAPS_AutomaticAccountManagementTarget | enum | Path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value name AutomaticAccountManagementTarget Type REG_DWORD | Options: Manage the built-in admin account (0), Manage a custom admin account (1) | |
| Computer | Enable the managed account ID LAPS_AutomaticAccountManagementEnableAccount | boolean | Path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value name AutomaticAccountManagementEnableAccount Type REG_DWORD | Options: true (), false () True: None · False: None | |
| Computer | Randomize the name of the managed account ID LAPS_AutomaticAccountManagementRandomizeName | boolean | Path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS Value name AutomaticAccountManagementRandomizeName Type REG_DWORD | Options: true (), false () True: None · False: None |