Blog Post

Windows IT Pro Blog
4 MIN READ

By popular demand: Windows LAPS available now!

JaySimmons's avatar
JaySimmons
Icon for Microsoft rankMicrosoft
Apr 11, 2023
Welcome to the new and improved Windows LAPS! That's Local Administrator Password Solution. We've been listening to your feedback and requests, and the day is finally here for both cloud and on-premi...
Updated Nov 09, 2023
Version 7.0
security
servicing and updates
David_Trevor's avatar
David_Trevor
Copper Contributor
Oct 06, 2023

JaySimmons thanks for the reply! Your explanation matches what I expected how it works. It does not match how it behaves in my environment however.

 

The user is not member of the authorized decryptor group for over a week now. whoami /groups does reflect this as well, the group is not present. Just now I have manually expired a password of one of our servers.

Look at what happens when I query the password history:

Get-ADComputer SERVER1 | ForEach-Object {Get-LapsADPassword $_.Name -IncludeHistory} | ft ComputerName,Source,DecryptionStatus,PasswordUpdateTime,AuthorizedDecryptor

ComputerName Source DecryptionStatus PasswordUpdateTime AuthorizedDecryptor
------------ ------ ---------------- ------------------ -------------------
SERVER1 EncryptedPassword Unauthorized 06.10.2023 14:13:07 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 29.09.2023 13:10:40 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 29.09.2023 13:09:24 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 29.09.2023 13:06:15 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 29.09.2023 12:59:27 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 29.09.2023 12:55:41 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 29.09.2023 10:56:27 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 26.09.2023 16:56:35 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 26.09.2023 16:29:37 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 26.09.2023 16:09:33 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 26.09.2023 15:56:12 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 26.09.2023 13:02:39 DOMAIN\LAPS_Server
SERVER1 EncryptedPasswordHistory Success 18.09.2023 12:52:24 DOMAIN\LAPS_Server

I can decrypt ALL previous passwords still. The only exception is the one password I just manually rotated. That's what I meant when I said, when I remove the user from the group, I have to wait some days, then newly created passwords cannot be decrypted, but all previous passwords can still be decrypted. It seems completely unrelated to group membership/Kerberos tickets.