A simple web interface for Microsoft LAPS (Local Administrator Password Solution).

This is a modern frontend for Microsoft LAPS, supporting:

• LAPS v1 and v2
• Multiple Active Directory domains
• Authentication directly via Active Directory
• Bare-metal and Docker deployment

No additional user management is needed — access is fully controlled by Active Directory permissions.

Starting with version 1.6.0, multi-domain support was added.
As a result, the configuration format has changed.
Review the updated appsettings.json.example for details and adjust your setup accordingly.

• Active Directory with Microsoft LAPS installed
• .NET 10 runtime or a Docker host
• Python 3 with dpapi-ng installed:

  pip install dpapi-ng[kerberos]
  

• Download the latest Release for your Platform
• Unzip Archive
• Rename appsettings.json.example to appsettings.json and edit as needed or set the settings via Environment Variables
• Ensure Python3 and dpapi-ng (pip install dpapi-ng[kerberos]) is installed
• Run LAPS-WebUI

• Since Version 1.5.0 LAPS v2 is supported
• By default, LAPS v2 passwords are encrypted. If the LAPS v2 passwords are stored unencrypted, then you have to set EncryptionDisabled to true in the settings
• When LAPS v2 Passwords are encrypted a direct connection to the domain controllers with Kerberos and DCE-RPC is needed in order to decrypt those passwords. For LAPS v1 and unencrypted LAPS v2 passwords only LDAP is needed

Running LAPS-WebUI in docker is quite easy:

docker run -d \
  --name=lapswebui \
  -e Domains__0__Name=example.com \
  -e Domains__0__Ldap__Server=ldap.example.com \
  -e Domains__0__Ldap__Port=389 \
  -e Domains__0__Ldap__UseSSL=false \
  -e Domains__0__Ldap__TrustAllCertificates=true \
  -e Domains__0__Ldap__SearchBase='DC=example,DC=com' \
  -p 8080:8080 \
  --restart unless-stopped \
  ghcr.io/seji64/laps-webui:1.6

• Listen address and port: Learn more
• Behind a reverse proxy: WebSocket support must be enabled!

LAPS-WebUI uses Serilog for logging. By default, logs are written to the console only.

To enable logging to files, extend your appsettings.json like this:

{
  "Serilog": {
    "MinimumLevel": {
      "Default": "Information",
      "Override": {
        "Microsoft": "Warning"
      }
    },
    "WriteTo": [
      { "Name": "Console" },
      {
        "Name": "File",
        "Args": {
          "path": "Logs/laps-webui-.log",
          "rollingInterval": "Day",
          "retainedFileCountLimit": 7
        }
      }
    ],
    "Enrich": [ "FromLogContext" ]
  }
}

• Log files are stored in the Logs directory
• A new log file is created each day
• Old log files are automatically deleted after the configured number of days

You can also enable log rotation based on file size:

"fileSizeLimitBytes": 10485760,
"rollOnFileSizeLimit": true

You can also configure Serilog using environment variables (useful for Docker or container setups):

SERILOG__WRITETO__0__NAME=Console
SERILOG__WRITETO__1__NAME=File
SERILOG__WRITETO__1__ARGS__PATH=Logs/laps-webui-.log
SERILOG__WRITETO__1__ARGS__ROLLINGINTERVAL=Day
SERILOG__WRITETO__1__ARGS__RETAINEDFILECOUNTLIMIT=7

Notes:

• Double underscores (__) represent nested configuration levels
• Array indices start at 0

• Access the app at: http://127.0.0.1:8080
• Authenticate with your Active Directory user credentials
• Search for a computer by its name
• Click on the result to display the LAPS-managed password

Authentication and authorization are fully handled by Active Directory.

Both Microsoft LAPS v1 (legacy) and LAPS v2 (modern) are supported.