Policy
Configure automatic account management
This policy configures automatic account management policy options. Specify the target account to manage: specifies whether the built-in admin account or a custom account should be managed. Automatic account name (or name prefix): specifies the name, or name prefix, to use for the managed account. If this policy setting is configured, Windows LAPS will use it as the account name or name prefix for the target account. If this policy setting is not configured, Windows LAPS will use "WLapsAdmin" as the account name or name prefix. Note: this name is treated as a prefix when account name randomization is configured, see comments below. Enable the managed account: specifies whether the managed account should be enabled or not. If this policy setting is configured, Windows LAPS will enable the specified managed account. If this policy setting is not configured, Windows LAPS will disable the specified managed account. Note: Windows LAPS will regularly maintain and rotate the password of the managed account regardless of whether the account is maintained in an enabled\disabled status. Randomize the name of the managed account: specifies whether the name of the managed account should be randomized with a random numeric suffix. If this policy setting is configured, Windows LAPS will add an eight digit random numeric suffix to the managed automatic account name, and will re-randomize the name of the managed account every time the password is rotated. If this policy setting is not configured, Windows LAPS will use the managed automatic account name as configured. If the managed automatic account name prefix is configured, Windows LAPS will use up to the first twelve (12) characters of that name as a prefix for the random name. If the managed automatic account name is not configured, Windows LAPS will use "WLapsAdmin" as the name prefix. Note: the DSRM account on domain controllers cannot be configured for automatic account management. This policy has no effect on domain controllers and will be ignored even if configured for a DC. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
e289c27554cb LAPS_AutomaticAccountManagementPolicy Registry
Copy registry mappings
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\AutomaticAccountManagementEnabled (enabled) = 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\AutomaticAccountManagementEnabled (disabled) = 0HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\AutomaticAccountManagementNameOrPrefixHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\AutomaticAccountManagementTargetHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\AutomaticAccountManagementEnableAccountHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\AutomaticAccountManagementRandomizeNamePolicy notes
This policy configures automatic account management policy options. Specify the target account to manage: specifies whether the built-in admin account or a custom account should be managed. Automatic account name (or name prefix): specifies the name, or name prefix, to use for the managed account. If this policy setting is configured, Windows LAPS will use it as the account name or name prefix for the target account. If this policy setting is not configured, Windows LAPS will use "WLapsAdmin" as the account name or name prefix. Note: this name is treated as a prefix when account name randomization is configured, see comments below. Enable the managed account: specifies whether the managed account should be enabled or not. If this policy setting is configured, Windows LAPS will enable the specified managed account. If this policy setting is not configured, Windows LAPS will disable the specified managed account. Note: Windows LAPS will regularly maintain and rotate the password of the managed account regardless of whether the account is maintained in an enabled\disabled status. Randomize the name of the managed account: specifies whether the name of the managed account should be randomized with a random numeric suffix. If this policy setting is configured, Windows LAPS will add an eight digit random numeric suffix to the managed automatic account name, and will re-randomize the name of the managed account every time the password is rotated. If this policy setting is not configured, Windows LAPS will use the managed automatic account name as configured. If the managed automatic account name prefix is configured, Windows LAPS will use up to the first twelve (12) characters of that name as a prefix for the random name. If the managed automatic account name is not configured, Windows LAPS will use "WLapsAdmin" as the name prefix. Note: the DSRM account on domain controllers cannot be configured for automatic account management. This policy has no effect on domain controllers and will be ignored even if configured for a DC. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.