Local Admin Password Solution (LAPS)

Our Local Administrator Password Solution (LAPS) was built to solve the issue of using identical accounts in your environment for user support or privilege escalation. LAPS creates strong passwords for local accounts which are stored securely in your own Azure Key Vault. For auditing, you also have to provide an Application Insights instance, though we are transitioning to using Log Analytics workspaces directly.
Most settings denoted on this page have to be configured using RealmJoin Classic Portal.


Before you can start with LAPS you have to meet the following pre-requirements:
  • You have to have set up Application Insights
  • You have to explicitly enable LAPS account types using group (or user) settings
We'll look at both of them below.

Application Insights

Application Insights play an important role when using LAPS. The password requests triggered by LAPS are logged by RealmJoin and piped to Application Insights. This way you have complete insight into who is retrieving passwords. More details can be found in our Application Insights article.

Group settings

LAPS supports the follow global settings.
Settings Key
Default Value
Set to true to force this feature off. This will clean up and delete all local accounts.
Interval for internal config checks (HH:mm)
The following account types are supported.
Settings Key
Default Value
undefined (inactive)
undefined (inactive)
undefined (inactive)
Each account type may be configured independently using the following common settings. Some types have special settings described in their respective section.
In the following table $ represents any of the three Account JSON object from above.
Settings Key
Default Value
Special. See Privileged account. Needs to be 20 characters or less.
"RealmJoin Local Administrator"
Display name
Charset for the password generator (excludes lookalikes)
Password length
Preset password templates, see Password generation.
Special. See Account recreation.
Preset password templates, see Password generation.
Special. See Support account.
Create account only when requested.
Special. See Privileged account.
Fixed account expiration date (ISO-8601 format)
Special. See Privileged account.
Fixed account expiration date (ISO-8601 format)

Password generation

By default truly random passwords will be generated based on the settings PasswordCharSet and PasswordLength. The default charset was chosen to exclude similar looking characters like I1l and O0. Windows' cryptographic random number generator is used to provide high quality randomness for generation.
RealmJoin will automatically handle issues with Windows' complexity requirements on account creation. As with all truly random passwords sometimes generated passwords might not satisfy the complexity requirements. If this happens RealmJoin will do up to three rounds of passwords generation until a viable passwords is generated. There is a remaining statistically small probability that all retries will be exceeded. In this case you will see a message in the service log file similar to All retries exceeded. The complete process will restart in the next run of the internal config checks (see setting CheckInterval).
Truly random passwords can be painful to work with, which is why special preset templates are also supported.
  • Preset 1 ⇒ [1 upper][3 lower][4 digit]
    • Tuci9324
    • Lnso5050
    • Khwn2174
  • Preset 2 ⇒ Key-[6 digit]-[6 digit]-[6 digit]-[6 digit]-[6 digit]-[6 digit]-[6 digit]-[6 digit]
    • PasswordLength setting is supported! The setting determines the number of digit blocks.
    • Key-012993-230956-976475 (PasswordLength = 3)
    • Key-497254-679158-631224-278319 (PasswordLength = 4)
    • Key-506179-861369-706482-613244-730371-097689-404350-340073 (default)
  • Preset 3 ⇒ [word]-[word]-[word]-[word]-[word]-[word] generated from Eff Long List
    • PasswordLength setting is supported! The setting determines the number of words.
    • Exciting-Unearth-Cried-87 (PasswordLength = 3)
    • Neurology-Astute-Debate-Marshy-15 (PasswordLength = 4)
    • Marshy-Darkened-Undertake-Reset-Shrouded-Wise-26 (default)

Account recreation

After an account was used, that is after sign out of the local user, RealmJoin can be configured to delete and recreate the account using the MaxStaleness setting. This way accounts will always be pristine. If not configured accounts will never be recreated and will stay around indefinitely.
RealmJoin will delete the account and its profile. ALL FILES WILL BE PERMANENTLY DELETED.

Conflict avoidance

Even though RealmJoin tries its best to avoid naming conflicts when managing the accounts on a device, there is always the possibility that accounts might already exist on a device causing conflicts. This is why the NamePattern setting supports these tokens with special meaning to RealmJoin. The tokens will be transformed by the specified function and its length parameter following the colon.
  • {HEX:8}F4D027EF, B3C4F74E, ... (random hexadecimal characters)
  • {DEC:6}506453, 066946, ... (random decimal characters)
  • {COUNT:2}01, 02, ... (counter, will stay 01 if no conflicts exist)

Emergency account

This account type is supposed to be your backup access to the device should it fail catastrophically. It will be created proactively. This way you will always have access for recovery. We recommend configuring it for account recreation.
Key LocalAdminManagement.EmergencyAccount (for common settings see group settings)
"NamePattern": "ADM-Emergency-{HEX:4}",
"DisplayName": "Emergency Access",
"MaxStaleness": "04:00",
"PasswordPreset": 2

Support account

This account type can be configured for on-demand creation. It is designed for use in a limited time window of 12 hours in on-demand mode.
Support accounts and their profiles will be deleted 12 hours after requesting the account regardless of usage (after the support user has signed out). ALL FILES WILL BE PERMANENTLY DELETED.
When using on-demand mode account recreation (MaxStaleness) should not be used. It might interfere with your support workflow.
Requirements for the on-demand workflow:
  1. 1.
    The mode is enabled by setting "OnDemand": true.
  2. 2.
    A user is signed in
  3. 3.
    The RealmJoin agent is running
  4. 4.
    The device is connected to the internet
  5. 5.
    The device can reach the RealmJoin backend
It might take up to 30 minutes for the RealmJoin agent to notice the request. The signed-in user may speed up this progress by choosing "Sync this device" from the RealmJoin tray menu.
When not in on-demand mode it will be created proactively.
Key LocalAdminManagement.SupportAccount (for common settings see group settings)
"NamePattern": "ADM-Support-User-{HEX:2}",
"DisplayName": "Support User",
"OnDemand": true,
"PasswordPreset": 1

Privileged account

This account type is designed to be used by power users that need regular but controlled admin privileges on their own devices. A fixed account expiration date can be specified (Expiration).
For this type account recreation (MaxStaleness) should not be used. The whole point is to have a persistent account for your users.
Forced password rotations are supported:
  1. 1.
    2021-11-20T12:34:56+01:00: Any explicit timestamp in ISO-8601. Multiple timestamps can be specified.
  2. 2.
    DayAfterCreate: After the account has been created the account's password will be changed. This is useful when users are supposed to set up Windows Hello for additional sign-in options.
  3. 3.
    Yearly, Monthly or Weekly: The shorter interval takes preference (Weekly > Monthly > Yearly). If no more conditions are specified, defaults are "1st day of month" for Monthly or "monday" for Weekly. Additionally, Yearly defaults to password last set date + 365 days. All seven weekdays can be specified. So if Wednesday and Weekly are specified, the password will be changed every wednesday. If Wednesday and Monthly are specified, the password will be changed on the first wednesday each month. Combining Yearly with weekdays will set the deadline to the latest possible specified weekday just before 365 days are up.
Key LocalAdminManagement.PrivilegedAccount (for common settings see group settings)
"NamePattern": "Privileged-User-{COUNT:1}",
"DisplayName": "Privileged User",
"PasswordRenewals": ["DayAfterCreate", "Monthly", "Thursday"],
"PasswordPreset": 3,
"PasswordLength": 3

Accessing passwords

Use the RealmJoin Portal to access the passwords. It will appears similar to this.​

Enable self-service

Users may access accounts created on their own devices (they are "PrimaryUser") when enabled using the RealmJoin Portal starting with version 2022.5.1. To enable, define a setting using the key Allow.SelfLAPS. This setting may be defined on groups and users. As with all settings prefixed with Allow.* they are AND-joined across the user and all of their groups.
"EmergencyAccount": true,
"SupportAccount": true,
"PrivilegedAccount": true
The value can also be pure boolean true/false. This may be used as a wildcard and encompasses every current and future account type. Please note that this is only recommended for disabling access (false).
In the past it was recommended to set this setting to true. However, as we continue to expand RealmJoin, new account types will be added. It is therefore strongly recommended to migrate all true values to the more explicit object notation
A sample configuration may look like this:
All remote workers
{ "EmergencyAccount": true }
Remote workers may access their own devices emergency account.
All developers
{ "EmergencyAccount": true, "PrivilegedAccount": true }
Developers may access their emergency account and their privileged account—no matter whether they are remote workers or not.
All trainees
Trainees must never have access to any of the three account types and all future types, even if they are remote workers or developers