Event banner
Event details
Thank you for your time devoted to LAPS. Will look into moving towards the new encryption as time allows. One question though... When restoring a "Computer" from media, it may maintain the previous password set. However, will restoring the Computer Object from deletion in AD to the same timeframe also in theory synchroize the password? At times it is necessary to restore a computer previously deleted from AD...
- JaySimmons
Microsoft
Hi James, When you restore a deleted Computer object in AD, the object will be restored with whatever LAPS passwords were on the object when it was deleted in the first place. There is no automatic synchronization support related to LAPS in this scenario. Once the computer is up and running again and has a re-established trust channel with the AD domain, the LAPS client logic will continue to rotate the password as required. If the Computer object was deleted for a long time, it is very likely that the password-expiry timestamp has long since passed, in which case the LAPS client logic will rotate the password very soon. I am not 100% sure I answered your question, lmk if not.- To a certain extent you have answered my question the way I figured it would be. As long as the password attribute is visible to the back-up\restoration process, the restored Computer object will retain the timestamped password until trust is restored and expiration forces a change. Thanks!
