macOS LAPS (Local Administrator Password Solution)
Swift binary that utilizes Open Directory to determine if the
local administrator password has expired as specified by the Active Directory
dsAttrTypeNative:ms-Mcs-AdmPwdExpirationTime. If this is the case
then a new randomly generated password will be set for the local admin account
and a new expiration date will be set. The LAPS password is stored in the
Active Directory attribute
dsAttrTypeNative:ms-Mcs-AdmPwd. This attribute can
only be read by those designated to view the attribute. The computer record
can write to this attribute but it cannot read.
The following preference keys must be set or the application will use the defaults:
LocalAdminAccount - Local Administrator Account. Default is 'admin'. (In String format)
DaysTillExpiration - Expiration date of random password. Default is 60 Days. (In Integer format)
PasswordLength - Length of randomly generated password. Default is 12. (In Integer format)
RemoveKeyChain - Remove the local admin keychains after password change. (In Boolean format, recommended)
RemovePassChars - Exclude any characters you'd like from the randomly generated password (In String format)
ExclusionSets - Exclude any character set you'd like by specificying a string in an array (Example: "symbols")
These parameters are set in the location
or you can use your MDM's Custom Settings to set these values.
NOTE: The Swift binary will most likely only work on macOS 10.10+. If you need to run LAPS on older versions of macOS please use the legacy version of macOSLAPS written in Python here
As pointed out by one of my fellow colleagues, the ' key on macOS cannot be used on Windows without opening the character map to enter it. Since this is very detriment to using a LAPS password from a Windows client I have made this key excluded by default.
At this time you can clone the repo or download a zip of the repo or you can use the package created using Packages to install. The package includes a Launch Daemon to run macOSLAPS every 90 minutes.
macOSLAPS is designed to run in an automated fashion (e.g. triggered by a Launch Daemon or your management tool of choice). It can be invoked manually at the command line by running
/usr/local/laps/macOSLAPS as root.
-resetPassword - generates a new password and writes it to the Active Directory computer record.
The script will also perform logging so that you know when the password is changed
and its new expiration date or when the current unchanged password will expire. This
file is stored in
Since this is a binary, it can be signed which means that the code itself will not display when viewing the executable. Please test this new version and report back results.
Local Admin Keychain
By default, the local admin you choose has its keychain deleted since we wouldn't know the randomized password.
- Rusty Myers - For helping to determine that Windows has its own time method vs Epoch time
- Matt Hansen - For critiquing and assisting with generating the random password
- Allen Clouser and Jody Harptster - For showing me that the ' key cannot be used from a Windows client without character map
- John Pater - For advising me on the idea of generating 10 random passwords and picking one randomly to further randomize the password
- Joel Rennich - For taking my questions about Swift and advising me on better ways to utilize Swift
Help us keep the lights on
1.0.5(78) - Nov 15, 2018
This new build has changed the keychain function to pull the NFSHomeDirectory attribute BEFORE appending the "/Library/Keychains" path since some local admin accounts are not always located in the "/Users" folder this should solve issue #23.
Signing for the package as well as the binary has been changed to The Pennsylvania State University.
1.0.4(62) - Mar 9, 2018
This new build is a small update for the code to Swift 4 and should resolve issue #14. I have also added a check to make sure we can write to the directory by pulling the Expiration Time and then writing it back to the computer record as we should have write access to do so before performing the password change. I have also changed the password change logic to change the local admin password FIRST in Active Directory before changing it locally which should resolve issue #8. Please download and give this a try.
--Updated May 7, 2018 - Fixed a bug that would cause the executable to crash if Active Directory was not available because we are now specifying the direct path. Should address issue #17. Also added the new plist that will make it run every 90 minutes. Fixed small typos and made the Active Directory not available message report as error.
1.0.3 - Nov 16, 2017
A new build of macOSLAPS that should resolve issue #10. Thank you for the request @bartreardon! This also opens up the capability to receive additional command line arguments when running the executable.
The LAPS password can now be reset On Demand by adding the command argument to macOSLAPS -resetPassword
1.0.2 - Sep 7, 2017
Compiled a package after @bartreardon updated the code for if a password has never been set. Also added the paths.d file from the legacy version that will allow you to call macOSLAPS from anywhere in terminal.
1.0.1 - Jul 12, 2017
Update includes the ability to exclude a character set as per issue #1. You can define the character set you would like to exclude with the following key in edu.psu.macOSLAPS.plist: