Policy selection for ADMX packs

Policy overview

Key metadata and intent for this policy.

ClassComputer

CategorySystem > LAPS

Supported onAt least Microsoft Windows 10 or later

Supported OS tags: Windows10

Configure this setting to control the specific user or group who is authorized to decrypt encrypted passwords. Configuring this setting has no effect unless password encryption has been enabled. If this setting is enabled, encrypted passwords will be decryptable by the specified group. If this setting is disabled or not configured, encrypted passwords will be decryptable by the Domain Admins group. This setting must be configured with either a domain-qualified name of a group or user, or a SID in string format. Valid examples include: contoso\LAPSAdmins lapsadmins@contoso.com S-1-5-21-2127521184-1604012920-1887927527-35197 Do not enclose the user\group name or SID in enclosing quotes or parentheses. The specified user or group must be resolvable by the managed device, otherwise passwords will not be backed up. NOTE: this setting is ignored when Directory Services Repair Mode (DSRM) account passwords are backed up on a domain controller. In that scenario, this setting always defaults to the Domain Admins group of the domain controller's domain. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.

Internal name

LAPS_ADPasswordEncryptionPrincipal

Policy ID

ca78c8ad8a24

Elements

Registry values

How enabled and disabled states update the registry.

No explicit registry values are set for enabled or disabled states.

Policy elements

Inputs and configuration options exposed by this policy.

Element	Type	Registry mapping	Constraints & behavior
Authorized password decryptor ID TEXT_ADPasswordEncryptionPrincipal	text	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\ADPasswordEncryptionPrincipal Type REG_SZ	None

Other policies in this category

Explore related policies at the same level.