Microsoft
MicrosoftHi mlguimaraes ,
>>I'm not sure if was mentioned here, but what about the password values stored in the "old" AD attribute ms-Mcs-AdmPwd?
>>I'm concerned about something try to use older FAT UI or Powershell and receive outdated information.
>>Do you recommend cleaning up the attribute?
Great question.
I do recommend cleaning these up if they are no longer in use. Partially because once you have fully migrated from legacy LAPS to Windows LAPS, the ms-Mcs-* state is now just unnecessary bloat in the directory, and also to avoid to potential confusion as you described.
Be aware that Windows LAPS will make a best-effort attempt to delete the ms-Mcs-* attributes once Windows LAPS has 1) set the password on the new msds-Laps* attributes, and 2) detected that the legacy LAPS CSE is no longer installed on the machine. Check #2 is to ensure that we don't break legacy LAPS in the side-by-side co-existence scenario. All of this makes me wonder then, if you are not seeing the ms-Mcs* attributes disappear after deploying Windows LAPS, it's likely that you have not yet removed the legacy LAPS CSE from the managed devices (not critical you do this but it's good hygiene), OR (less likely) the device was moved to an OU where the device identity no longer has Delete permissions on the ms-Mcs-* attributes.
Did this make sense? Lmk if anything is not clear.
Jay