OVERLAPS for Microsoft LAPS 3.2 Now Available

We have now made the 3.2 patch for OVERLAPS available from your My Account page. The main feature of this update is added support for the new Windows LAPS from Microsoft (you can read more about that here). For additional release notes and patch information, please see below.

Important Note

New Features

  • Added support for Windows LAPS (https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview). OVERLAPS is now able to read password and expiration information from the new AD schema as long as the permissions are configured correctly. This includes encrypted passwords, but make sure that your Group Policy setting “Configure authorized password decryptors” is set to a group which the OVERLAPS server’s computer object is a member to ensure it has permission to decrypt the passwords. Note that reading encrypted passwords has not yet been tested in cross-domain environments.
  • In a multi-domain environment, added the ability to specify which domain is selected by default on the login page. This setting can be found under Settings -> Security.
  • Added a Reports page to use for displaying informational reports and scans. In order to gain access to reports, users must have the “View Reports” option checked under the Edit User Access Levels modal. Note that currently any user with this permission can run full-domain reports regardless of their per-container permissions, so care should be taken when granting it. A roadmap item has been created for a future update to add the ability to run these scans automatically and generate email reports.
  • Added “Computers with No LAPS Password Set” report, which searches Active Directory for any computer objects without a LAPS password.
  • Added “Computers with an Expired LAPS Password” report, which scans AD for computer objects where the LAPS Expiration Time is 24 hours or more behind the current time. This time can be currently only be modified by adding the “expirylimit=x” parameter to the URL where “x” is the number of minutes you want it to limit the report to, for example navigating to “reports.html?expirylimit=60” will give all computers whose password expired more than an hour ago.
  • Added the ability to toggle the visibility of the “Login using Windows Authentication” button on the login screen. The option, which can be found under Settings -> Security, is called “Display the Login using Windows Authentication button on the login screen.” and is enabled by default.
  • Added localization to the date/time picker in the Expire Password modal.


  • Changed it so that if the option to send a copy of Authorisation Requests to an additional or shared email address is set and Itemised Auth Request emails are enabled, then this address will also receive the itemised request list instead of a summary.
  • Changed the AD structure update mechanism to now retrieve the full structure in batches of 1000 and then figure out the hierarchy in memory. This replaces the old method which would ascertain the hierarchy of the structure directly from AD in smaller batches, causing more traffic on the domain controller.
  • Changed the Date/Time input in the Expire Password modal to use client’s timezone as input instead of the server time for situations where users are not necessarily in the same timezone as the server. Note that current expiry time shown in the Computer Password modal will be in either UTC or the server’s local time though depending on your settings.
  • Improved performance of computer searches by tweaking parent container information retrieval in both the DirectorySearcher and LDAP connectors.
  • Further improved performance of computer searches in single domain environments as the Global Catalog isn’t required to locate computers in those sites and a direct call to a DC can be used instead (the GC doesn’t contain password or expiry information).
  • Updated .NET Framework to version 4.8
  • Updated Mailkit and Mimekit libraries to version
  • Updated SQLite library to version 1.0.117

Bug Fixes

  • Tweaked error reporting for cases where an exception occurs while getting a DC’s Site Name so that more information can be ascertained about the DC itself for blacklisting purposes.
  • Changed DC discovery for root paths to rely more on AD to provide valid servers rather than using the enumeration method. Hopefully this will avoid errors and delays from attempting to query DCs in different security zones. This method isn’t completely compatible with the DC blacklist however, so if AD repeatedly returns a blacklisted DC then it will failover to the old method.
  • Fixed a bug in the Self Signed Certificate Generator utility which would throw an error if no SANs were entered.

Like the article? Share with your friends: