|
Server : Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 System : Windows NT SERVER-PC 10.0 build 26200 (Windows 11) AMD64 User : ServerPC ( 0) PHP Version : 8.2.12 Disable Function : NONE Directory : C:/Windows/PolicyDefinitions/en-US/ |
Upload File : |
<policyDefinitionResources revision="1.0" schemaVersion="1.0">
<displayName>
</displayName>
<description>
</description>
<resources>
<stringTable>
<string id="LAPS">LAPS</string>
<string id="LAPS_BackupDirectory">Configure password backup directory</string>
<string id="LAPS_BackupDirectory_Help">Use this setting to configure which directory the local admin account password is backed up to.
The allowable settings are:
0=Disabled (password will not be backed up)
1=Backup the password to Azure Active Directory
2=Backup the password to Active Directory
If not specified, this setting will default to 0 (Disabled).
If this setting is configured to 1, and the managed device is not joined to Azure Active Directory, the local administrator password will not be managed.
If this setting is configured to 2, and the managed device is not joined to Active Directory, the local administrator password will not be managed.
If this setting is disabled or not configured, the local administrator password is not managed.
See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
</string>
<string id="LAPS_BackupDirectoryDisabled">Disabled</string>
<string id="LAPS_BackupDirectoryAzure">Azure Active Directory</string>
<string id="LAPS_BackupDirectoryAD">Active Directory</string>
<string id="LAPS_PasswordSettings">Password Settings</string>
<string id="LAPS_PasswordSettings_Help">Configures password parameters
Password complexity: which characters are used when generating a new password
Default: Large letters + small letters + numbers + special characters
Password length
Minimum: 8 characters
Maximum: 64 characters
Default: 14 characters
Password age in days
Minimum: 1 day (7 days when backup directory is configured to be Azure AD)
Maximum: 365 days
Default: 30 days
Passphrase length
Minimum: 3 words
Maximum: 10 words
Default: 6 words
See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrases" by Electronic Frontier Foundation, and is used under a CC-BY-3.0 Attribution license. See https://go.microsoft.com/fwlink/?linkid=2255471 for more information.
</string>
<string id="LAPS_PwdComplexity_Item_1">Large letters</string>
<string id="LAPS_PwdComplexity_Item_2">Large letters + small letters</string>
<string id="LAPS_PwdComplexity_Item_3">Large letters + small letters + numbers</string>
<string id="LAPS_PwdComplexity_Item_4">Large letters + small letters + numbers + specials</string>
<string id="LAPS_PwdComplexity_Item_5">Large letters + small letters + numbers + specials (improved readability)</string>
<string id="LAPS_PwdComplexity_Item_6">Passphrase (long words)</string>
<string id="LAPS_PwdComplexity_Item_7">Passphrase (short words)</string>
<string id="LAPS_PwdComplexity_Item_8">Passphrase (short words with unique prefixes)</string>
<string id="LAPS_AdminName">Name of administrator account to manage</string>
<string id="LAPS_AdminName_Help">This policy setting specifies a custom Administrator account name to manage the password for.
If this policy setting is enabled, LAPS will manage the password for a local account with this name.
If this policy setting is disabled or not configured, LAPS will manage the password for the well known Administrator account.
DO NOT enable this policy setting to manage the built-in administrator account. The built-in administrator account is auto-detected by well-known SID and does not depend on the account name.
See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
</string>
<string id="LAPS_DontAllowPwdExpirationBehindPolicy">Do not allow password expiration time longer than required by policy</string>
<string id="LAPS_DontAllowPwdExpirationBehindPolicy_Help">If this setting is enabled or not configured, planned password expiration longer than the password age dictated by the "Password Settings" policy is NOT allowed. When such expiration is detected, the password is changed immediately and password expiration is set according to policy.
If this setting is disabled, password expiration time may be longer than required by "Password Settings" policy.
See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
</string>
<string id="LAPS_ADPasswordEncryptionEnabled">Enable password encryption</string>
<string id="LAPS_ADPasswordEncryptionEnabled_Help">When you enable this setting, the managed password is encrypted before being sent to Active Directory.
Enabling this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) the Active Directory domain functional level is at Windows Server 2016 or above.
If this setting is enabled, and the domain functional level is at or above Windows Server 2016, the managed account password is encrypted.
If this setting is enabled, and the domain functional level is less than Windows Server 2016, the managed account password is not backed up to the directory.
If this setting is disabled, the managed account password is not encrypted.
This setting will default to enabled if not configured.
See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
</string>
<string id="LAPS_ADPasswordEncryptionPrincipal">Configure authorized password decryptors</string>
<string id="LAPS_ADPasswordEncryptionPrincipal_Help">Configure this setting to control the specific user or group who is authorized to decrypt encrypted passwords.
Configuring this setting has no effect unless password encryption has been enabled.
If this setting is enabled, encrypted passwords will be decryptable by the specified group.
If this setting is disabled or not configured, encrypted passwords will be decryptable by the Domain Admins group.
This setting must be configured with either a domain-qualified name of a group or user, or a SID in string format. Valid examples include:
contoso\LAPSAdmins
lapsadmins@contoso.com
S-1-5-21-2127521184-1604012920-1887927527-35197
Do not enclose the user\group name or SID in enclosing quotes or parentheses.
The specified user or group must be resolvable by the managed device, otherwise passwords will not be backed up.
NOTE: this setting is ignored when Directory Services Repair Mode (DSRM) account passwords are backed up on a domain controller. In that scenario, this setting always defaults to the Domain Admins group of the domain controller's domain.
See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
</string>
<string id="LAPS_ADEncryptedPasswordHistorySize">Configure size of encrypted password history</string>
<string id="LAPS_ADEncryptedPasswordHistorySize_Help">Use this setting to configure how many previous encrypted passwords will be stored in Active Directory.
Configuring this setting has no effect unless 1) the password has been configured to be backed up to Active Directory and 2) password encryption has been enabled.
If this setting is enabled, the specified number of older passwords will be stored in Active Directory.
If this setting is disabled or not configured, zero older passwords will be stored in Active Directory.
This setting has a minimum allowed value of 0 passwords.
This setting has a maximum allowed value of 12 passwords.
See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
</string>
<string id="LAPS_ADBackupDSRMPassword">Enable password backup for DSRM accounts</string>
<string id="LAPS_ADBackupDSRMPassword_Help">When you enable this setting, the DSRM administrator account password will be managed and backed up to Active Directory.
Enabling this setting has no effect unless the managed device is a domain controller and password encryption is also enabled.
If this setting is enabled, the password for the DSRM administrator account on the domain controller will be backed up to Active Directory.
If this setting is disabled or not configured, the password for the DSRM administrator account on the domain controller will not be backed up to Active Directory.
See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
</string>
<string id="LAPS_PostAuthenticationActions">Post-authentication actions</string>
<string id="LAPS_PostAuthenticationActions_Help">This policy configures post-authentication actions which will be executed after detecting an authentication by the managed account.
Grace period: specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
If this setting is enabled and greater than zero, the specified post-authentication actions will be executed upon expiration of the grace period.
If this setting is disabled or not configured, the specified post-authentication actions will be executed after a default 24 hour grace period.
If this setting is equal to zero, no post-authentication actions will be executed.
Actions: specifies the actions to take upon expiration of the grace period.
Reset password: upon expiration of the grace period, the managed account password is reset.
Reset the password and logoff the managed account: upon expiration of the grace period, the managed account password is reset and any interactive logon sessions using the managed account are logged off.
Reset the password and reboot: upon expiration of the grace period, the managed account password is reset and the managed device is rebooted.
Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated.
(NOTE: after any interactive logon sessions are terminated there may still be other authenticated sessions in use by the managed account. The only robust way to ensure that the previous password is longer in use is to reboot the device.)
If this setting is disabled or not configured, post-authentication actions will default to "Reset the password and logoff the managed account".
Note: the DSRM account on domain controllers cannot be configured for post-authentication actions. This policy has no effect on domain controllers and will be ignored even if configured for a DC.
See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
</string>
<string id="PostAuthenticationActions_Item0">Disabled - take no actions</string>
<string id="PostAuthenticationActions_Item1">Reset the password</string>
<string id="PostAuthenticationActions_Item3">Reset the password and logoff the managed account</string>
<string id="PostAuthenticationActions_Item5">Reset the password and reboot the device</string>
<string id="PostAuthenticationActions_Item11">Reset the password, logoff the managed account, and terminate any remaining processes</string>
<string id="LAPS_AutomaticAccountManagementPolicy">Configure automatic account management</string>
<string id="LAPS_AutomaticAccountManagementPolicy_Help">This policy configures automatic account management policy options.
Specify the target account to manage: specifies whether the built-in admin account or a custom account should be managed.
Automatic account name (or name prefix): specifies the name, or name prefix, to use for the managed account.
If this policy setting is configured, Windows LAPS will use it as the account name or name prefix for the target account.
If this policy setting is not configured, Windows LAPS will use "WLapsAdmin" as the account name or name prefix.
Note: this name is treated as a prefix when account name randomization is configured, see comments below.
Enable the managed account: specifies whether the managed account should be enabled or not.
If this policy setting is configured, Windows LAPS will enable the specified managed account.
If this policy setting is not configured, Windows LAPS will disable the specified managed account.
Note: Windows LAPS will regularly maintain and rotate the password of the managed account regardless of whether the account is maintained in an enabled\disabled status.
Randomize the name of the managed account: specifies whether the name of the managed account should be randomized with a random numeric suffix.
If this policy setting is configured, Windows LAPS will add an eight digit random numeric suffix to the managed automatic account name, and will re-randomize the name of the managed account every time the password is rotated.
If this policy setting is not configured, Windows LAPS will use the managed automatic account name as configured.
If the managed automatic account name prefix is configured, Windows LAPS will use up to the first twelve (12) characters of that name as a prefix for the random name. If the managed automatic account name is not configured, Windows LAPS will use "WLapsAdmin" as the name prefix.
Note: the DSRM account on domain controllers cannot be configured for automatic account management. This policy has no effect on domain controllers and will be ignored even if configured for a DC.
See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
</string>
<string id="AutomaticAccountManagementTarget_Item0">Manage the built-in admin account</string>
<string id="AutomaticAccountManagementTarget_Item1">Manage a custom admin account</string>
<string id="AutomaticAccountName_Help">Specify the account name or name prefix</string>
<string id="AutomaticAccountNameRandomization_Help">Specifies whether the automatic account name should be randomized.</string>
<string id="SUPPORTED_Windows10">At least Microsoft Windows 10 or later</string>
</stringTable>
<presentationTable>
<presentation id="LAPS_BackupDirectory">
<dropdownList refId="LAPS_BackupDirectory" defaultItem="1">Backup directory</dropdownList>
</presentation>
<presentation id="LAPS_PasswordSettings">
<dropdownList refId="LAPS_PasswordComplexity" defaultItem="3">Password Complexity</dropdownList>
<decimalTextBox refId="LAPS_PasswordLength" defaultValue="14">Password Length</decimalTextBox>
<decimalTextBox refId="LAPS_PasswordAgeDays" defaultValue="30">Password Age (Days)</decimalTextBox>
<decimalTextBox refId="LAPS_PassphraseLength" defaultValue="6">Passphrase Length (words)</decimalTextBox>
</presentation>
<presentation id="LAPS_AdminName">
<textBox refId="TEXT_AdminAccountName">
<label>Administrator account name</label>
</textBox>
</presentation>
<presentation id="LAPS_ADPasswordEncryptionPrincipal">
<textBox refId="TEXT_ADPasswordEncryptionPrincipal">
<label>Authorized password decryptor</label>
</textBox>
</presentation>
<presentation id="LAPS_ADEncryptedPasswordHistorySize">
<decimalTextBox refId="LAPS_ADEncryptedPasswordHistorySize_INT" defaultValue="0">Encrypted password history size</decimalTextBox>
</presentation>
<presentation id="LAPS_PostAuthenticationActions">
<decimalTextBox refId="LAPS_PostAuthenticationResetDelay_INT" defaultValue="24">Grace period (hours):</decimalTextBox>
<dropdownList refId="LAPS_PostAuthenticationActions" defaultItem="2">Actions:</dropdownList>
</presentation>
<presentation id="LAPS_AutomaticAccountManagementPolicy">
<dropdownList refId="LAPS_AutomaticAccountManagementTarget" defaultItem="0">Specify the target account to manage:</dropdownList>
<textBox refId="LAPS_AutomaticAccountManagementNameOrPrefix">
<label>Automatic account name (or name prefix):</label>
</textBox>
<checkBox refId="LAPS_AutomaticAccountManagementEnableAccount">Enable the managed account</checkBox>
<checkBox refId="LAPS_AutomaticAccountManagementRandomizeName">Randomize the name of the managed account</checkBox>
</presentation>
</presentationTable>
</resources>
</policyDefinitionResources>