GPO tool

Group Policy made searchable

A free ADMX browser or comparison tool for IT administrators. Search policies, find registry keys, and see exactly what each setting writes to the Windows Registry. Or compare two GPO backups to see exactly what has changed between them.

Select a product
  • Select a category.

Configure authorized password decryptors

Configure this setting to control the specific user or group who is authorized to decrypt encrypted passwords.

Configuring this setting has no effect unless password encryption has been enabled.

If this setting is enabled, encrypted passwords will be decryptable by the specified group.

If this setting is disabled or not configured, encrypted passwords will be decryptable by the Domain Admins group.

This setting must be configured with either a SID in string format ("S-1-5-21-2127521184-1604012920-1887927527-35197") or the name of a group or user in "domain(group or user)" format. The specified user or group must be resolvable by the managed device, otherwise passwords will not be backed up.

See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.

Registry Information

VendorMicrosoft
ProductLAPS
CategoryLAPS
Applies toComputer Configuration
Supported onAt least Microsoft Windows 10 or later
Registry Key[HKLM]SOFTWAREMicrosoftWindowsCurrentVersionPoliciesLAPS

Policy Settings

Authorized password decryptor

Registry Key[HKLM]SOFTWAREMicrosoftWindowsCurrentVersionPoliciesLAPS
Value NameADPasswordEncryptionPrincipal
TypeREG_SZ