Policy selection for ADMX packs

Policy overview

Key metadata and intent for this policy.

ClassComputer

CategorySystem > LAPS

Supported onAt least Microsoft Windows 10 or later

Supported OS tags: Windows10

This policy configures automatic account management policy options. Specify the target account to manage: specifies whether the built-in admin account or a custom account should be managed. Automatic account name (or name prefix): specifies the name, or name prefix, to use for the managed account. If this policy setting is configured, Windows LAPS will use it as the account name or name prefix for the target account. If this policy setting is not configured, Windows LAPS will use "WLapsAdmin" as the account name or name prefix. Note: this name is treated as a prefix when account name randomization is configured, see comments below. Enable the managed account: specifies whether the managed account should be enabled or not. If this policy setting is configured, Windows LAPS will enable the specified managed account. If this policy setting is not configured, Windows LAPS will disable the specified managed account. Note: Windows LAPS will regularly maintain and rotate the password of the managed account regardless of whether the account is maintained in an enabled\disabled status. Randomize the name of the managed account: specifies whether the name of the managed account should be randomized with a random numeric suffix. If this policy setting is configured, Windows LAPS will add an eight digit random numeric suffix to the managed automatic account name, and will re-randomize the name of the managed account every time the password is rotated. If this policy setting is not configured, Windows LAPS will use the managed automatic account name as configured. If the managed automatic account name prefix is configured, Windows LAPS will use up to the first twelve (12) characters of that name as a prefix for the random name. If the managed automatic account name is not configured, Windows LAPS will use "WLapsAdmin" as the name prefix. Note: the DSRM account on domain controllers cannot be configured for automatic account management. This policy has no effect on domain controllers and will be ignored even if configured for a DC. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.

Internal name

LAPS_AutomaticAccountManagementPolicy

Policy ID

e289c27554cb

Elements

Registry values

How enabled and disabled states update the registry.

Registry location	Type	Enabled value	Disabled value
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\AutomaticAccountManagementEnabled	REG_DWORD	1	0

Policy elements

Inputs and configuration options exposed by this policy.

Element	Type	Registry mapping	Constraints & behavior
Automatic account name (or name prefix): ID LAPS_AutomaticAccountManagementNameOrPrefix	text	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\AutomaticAccountManagementNameOrPrefix Type REG_SZ	None
Specify the target account to manage: ID LAPS_AutomaticAccountManagementTarget	enum	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\AutomaticAccountManagementTarget Type REG_DWORD	Options: Manage the built-in admin account (0), Manage a custom admin account (1)
Enable the managed account ID LAPS_AutomaticAccountManagementEnableAccount	boolean	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\AutomaticAccountManagementEnableAccount Type REG_DWORD	Options: true (), false () True: None · False: None
Randomize the name of the managed account ID LAPS_AutomaticAccountManagementRandomizeName	boolean	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\AutomaticAccountManagementRandomizeName Type REG_DWORD	Options: true (), false () True: None · False: None

Other policies in this category

Explore related policies at the same level.