Microsoft
MicrosoftHi Johan Janssen ,
>>Not surprisingly it's not working.
Appreciate the confidence there ;).
>> Why isn't it creating the local account? Cannot find anything useful when Googling for the error code.
This is due to a difference between the legacy MSI product and the new Windows LAPS feature. The legacy MSI pkg supported the creation of the designated local account during MSI installation. This is a feature that is not supported in the new Windows LAPS feature set. If you want Windows LAPS to manage a custom account, currently you must create that account yourself.
Why did this feature not get carried forward? Partially because I ran out of time, but also partly because it was not clear to me that the behavior even had a straightforward porting approach, or put another way is it really the right design approach to have Windows LAPS create a new account whenever the AdministratorAccountName policy setting changes?
Fwiw, I have mentioned this in the docs in a couple of places, eg
"If you configure Windows LAPS to manage a custom local administrator account, you must ensure that the account is created. Windows LAPS doesn't create the account."
Obviously there are multiple ways to create a local account.
Longer term thoughts: nothing is committed or approved yet, but I would definitely like to revisit this area. Napkin-level idea: I might add a new Windows LAPS policy setting eg "Automatic local account management", which when enabled would encompass not only the initial creation of the account, but would also add the account to the local Administrators group, keep the account enabled, and finally would rotate the account name on the same frequency as the password, etc. If anyone has feedback on such an idea, please feel free to PM me.