Built in Windows 10 LAPS with 2016 domain controller?

Posted by jake04-20@reddit | sysadmin | View on Reddit | 3 comments

We're looking to implement LAPS, and as I understand it, support for Windows LAPS (as opposed to Legacy LAPS) for Windows 10 began in 21H2. We're running Windows Server 2016 domain controller and DC functional level of 2016. As I also understand it, support for Windows LAPS begins in Server 2019, meaning no support for 2016. I did pull the ADMX and ADML files from a Win10 client and added it to the central store on our 2016 DC. I can see the templates and there is verbiage in there that seems to indicate that some support is there for 2016 functional domain level. I'm curious if I install legacy LAPS on the DC and import the legacy PS module and use the "Update-AdmPwdADSchema" cmdlet to update the AD Schema, if that will integrate with Windows LAPS on the Win10 client side? Out of interest of avoiding to have to deploy LAPS to all of our endpoints when it's already built in. Has anyone tried this? Thanks

Reply to Post

3 Comments

[-]

Reo_Strong@reddit

Legacy LAPS is legacy, so why not just update? The basic process is to standup a new server with 2019 or 2022, install the AD role, adopt it into the domain and eject the 2016 server(s). Then you can roll the domain to a 2019 level and use the built-in tools.

[-]

jake04-20@reddit (OP)

Just ran the Powershell cmdlet for the new LAPS in my test environment and I see the attributes are different. I think that pretty much answers it then, it won't be possible to use legacy LAPS with built in Win10 LAPS. I suspected as much but it is a disappointment for sure.

[-]

jake04-20@reddit (OP)

I don't know how else to import the PS Module and update the AD Schema without installing LAPS legacy on 2016. Unless there is a new/supported way to import the module and update the AD schema for 2016 servers? I'm not interested in spinning up a new server just for LAPS or upgrading our DCs at the moment, and we don't even have 2019 user CALs yet and getting that approved in short notice for something like LAPS which should only take an afternoon to deploy, will be an uphill battle at this time of the year. Does new LAPS use the same attributes in AD as the legacy LAPS?