RapidLAPS requires two components. The Access Manager Server, and the Access Manager Agent. The agent installs a Windows Credential Provider onto the machine, which when invoked, creates a request for the LAPS password and sends it to the server.

The server then waits for the request to be either approved, or denied by an appropriately authorized user.

Once authorized, the LAPS password is retrieved from the relevant directory, encrypted with a one-time key and send to the agent.

The agent then passes the LAPS password to the Windows logon provider, and the authentication proceeds as normal.

RapidLAPS can retrieve LAPS passwords set by the legacy Microsoft LAPS agent, the new Windows LAPS agent, or by the Access Manager agent itself.

The Access Manager agent must be deployed to the device, but the LAPS password management feature of the agent does not need to be used.

RapidLAPS does not require internet access. However, it does require line-of-site to the Access Manager server. If your agents are off-network, and you want to support RapidLAPS operations, then you'll need to ensure the clients can connect to the Access Manager server. This can be using something like an always-on VPN, or publishing the API endpoint via a reverse proxy or web application firewall.

The community edition of Access Manager allows you to deploy up to 100 agents for free.

For larger environments, you can learn more about purchasing the Enterprise edition of Access Manager on our pricing page.