A nice and simple Web Interface for LAPS (Local Administrator Password Solution)
Version 1.6.0 adds multidomain support. Due this change the configurations changes. Please see appsettings.json.example and
- A working Active Directory with Microsoft LAPS installed
- .NET Core 8.0 compatible Operating System (Ubuntu/Debian/CentOS/Alpine Linux/Windows/macOS) or a Docker Host
- Download the latest Release for your Platform
- Unzip Archive
- Rename
appsettings.json.exampletoappsettings.jsonand edit as needed or set the settings via Environment Variables - Ensure Python3 and dpapi-ng (
pip install dpapi-ng[kerberos]) is installed - Run LAPS-WebUI
- Since Version 1.5.0 LAPS v2 is supported
- By default, LAPS v2 passwords are encrypted. If the LAPS v2 passwords are stored unencrypted, then you have to set
EncryptionDisabledtotruein the settings - When LAPS v2 Passwords are encrypted a direct connection to the domain controllers with
KerberosandDCE-RPCis needed in order to decrypt those passwords. For LAPS v1 and unecrypted LAPS v2 passwords onlyLDAPis needed
Running LAPS-WebUI in docker is quite easy:
docker run -d \
--name=lapswebui \
-e Domains__0__Name=example.com \
-e Domains__0__Ldap__Server=ldap.example.com \
-e Domains__0__Ldap__Port=389 \
-e Domains__0__Ldap__UseSSL=false \
-e Domains__0__Ldap__TrustAllCertificates=true \
-e Domains__0__Ldap__SearchBase='DC=example,DC=com' \
-p 8080:8080 \
--restart unless-stopped \
ghcr.io/seji64/laps-webui:1.6
There are a few options to configure this. Here is a quite good writeup with explains all options.
If you are using a reverse proxy ensure WebSockets are allowed / enabled
- Navigate with your WebBrowser to the LAPS WebUI Page (Default: http://127.0.0.1:8080 )
- Login with any Active Directory User which can access the LAPS LDAP Properties
- Type any Computername in the Searchbox and click a result to view the LAPS Password.
There is none cause LAPS-WebUI authenticates against your ActiveDirectory. There is also defined who can read those LAPS Passwords.
