Blog Post

Windows IT Pro Blog
4 MIN READ

By popular demand: Windows LAPS available now!

JaySimmons's avatar
JaySimmons
Icon for Microsoft rankMicrosoft
Apr 11, 2023
Welcome to the new and improved Windows LAPS! That's Local Administrator Password Solution. We've been listening to your feedback and requests, and the day is finally here for both cloud and on-premi...
Updated Nov 09, 2023
Version 7.0
security
servicing and updates
JaySimmons's avatar
JaySimmons
Icon for Microsoft rankMicrosoft
May 05, 2023

Georg_Brunner,

 

>>Is there a way to clear the legacy attributes after a password change in non-legacy mode? Or did i miss this chapter?

>>EDIT: just checked in lab: old attributes are gone

 

Once a machine (or set of machines) is migrated over to using a new native Windows LAPS policy (ie, using the new msLaps* attributes), AND the legacy LAPS CSE is not installed, the Windows LAPS client logic will automatically try to delete the legacy LAPS attributes from the computer account object.  This cleanup activity only occurs after Windows LAPS has successfully updated a new password the Windows LAPS-managed account, and it can only succeed if the machine is (still) granted SELF-write\delete permission on the legacy LAPS attributes.

 

The design intent with this behavior is converge the AD state to one single view (the Windows LAPS attributes) so that an admin looking for the current password is only given one correct choice when looking in AD. In addition, I felt very uncomfortable with the idea of allowing a still-valid-but-no-longer-regularly-rotated password to remain in AD indefinitely.

 

If the legacy LAPS CSE is still installed and you are running a native Windows LAPS policy side-by-side with a legacy LAPS policy (ie, you are managing two different local accounts at the same time), Windows LAPS will leave the legacy LAPS AD state alone.

 

There exists an analogous but less-likely-to-happen scenario which is when you are running Windows LAPS in native policy mode, but then for some reason  (?) you un-set the Windows LAPS policy and set a new legacy LAPS policy, which will kick Windows LAPS into legacy-LAPS-emulation-mode*.  In that situation, Windows LAPS will first set a new password on the legacy LAPS atts, then will try to delete any new Windows LAPS attributes (msLaps*) that it finds on the computer object.

 

If this auto-cleanup behavior does not work (eg, computer moved to a new OU which no longer grants the necessary permissions to SELF), you can always fall back on normal PowerShell scripting to delete any attributes you want.

 

Jay

 

*I need an acronym for this...LLEM?  "LEM"?  "LEMODE"? 🙂