BIPI
BIPI

LAPS and gMSA Abuse: When Password Rotation Becomes an Attack Path

Cybersecurity

LAPS and Group Managed Service Accounts are sold as the fix for local admin reuse. Misconfigured, they become the fastest lateral movement path in the domain. How to find and abuse readable ms-Mcs-AdmPwd and msDS-ManagedPassword.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 17, 2025 · 11 min read

#active-directory#laps#gmsa#lateral-movement#ad-attack

Why LAPS matters

LAPS rotates the local Administrator password per machine and stores it in AD as the ms-Mcs-AdmPwd attribute (legacy) or msLAPS-Password (Windows LAPS). Read access is delegated. Misdelegated, any domain user can read every local admin password in the forest.

Finding readable LAPS passwords

Common misconfigurations

  • Help desk group granted All Extended Rights on the entire Computers OU
  • Read-Only Domain Controllers caching ms-Mcs-AdmPwd in error
  • Audit ACEs missing, so password reads are invisible
  • Windows LAPS deployed alongside legacy LAPS, doubling the attack surface

gMSA: the silver bullet that often misfires

Group Managed Service Accounts auto-rotate every 30 days. The password is stored in msDS-ManagedPassword, an attribute readable only by principals listed in PrincipalsAllowedToRetrieveManagedPassword. Add a wide group there (Domain Users, Authenticated Users) and the account is game over.

Looting a gMSA

Chaining LAPS reads with BloodHound

  1. Run SharpHound with -CollectionMethods All,LocalAdmin,LAPS
  2. BloodHound exposes ReadLAPSPassword edges in the graph
  3. Query: Shortest path from Domain Users to Domain Admins via LAPS
  4. One readable LAPS attribute on a Tier-0 admin workstation collapses the forest

Real-world failure modes

  • MSA Manager service account with msDS-AllowedToActOnBehalfOfOtherIdentity (RBCD)
  • Help desk OU inherits Read on ms-Mcs-AdmPwd from a parent OU
  • Operators left a temporary delegation that became permanent
  • Legacy LAPS schema retained after Windows LAPS migration

Detection

Event 4662 on the ms-Mcs-AdmPwd or msLAPS-Password attribute is the canonical detection. Windows LAPS adds dedicated event source LAPS. Sysmon configured with directory service auditing catches the same. Most environments do not enable SACLs on the attribute, so abuse is silent.

Remediation

  • Migrate to Windows LAPS, encrypt password at rest with DPAPI-NG
  • Audit ACLs with Find-LAPSDelegatedGroups and DSACLs on Computers OUs
  • Enable SACL: log every read of ms-Mcs-AdmPwd, alert on non-helpdesk reads
  • Use Tier model: Tier 0 hosts get separate LAPS scope
  • For gMSA: restrict PrincipalsAllowedToRetrieveManagedPassword to single host group
~60%
AD pentests with at least one over-delegated LAPS attribute
rare but catastrophic
gMSA with Domain Users in PrincipalsAllowed
minutes
Time from low-priv to forest admin via LAPS chain
Password rotation without read-access governance is a vault with the door open.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.