rk-ca-2023's avatar
rk-ca-2023
Copper Contributor
Nov 10, 2023
Status:
Completed

Revice Password Last Set logic to check local PasswordLastSet and msLAPS-PasswordExpirationTime

Some of our servers are non persistent and are created from a template each night. If the Password needs updating logic checked the local admin account's PasswordLastSet and AD msLAPS-PasswordExpirat...
JaySimmons's avatar
JaySimmons
Icon for Microsoft rankMicrosoft
Nov 12, 2023

rk-ca-2023 ,

 

Is your Windows LAPS policy targeting the built-in admin account, or a different account that you are creating?

 

Can you provide more details about the nature of your "template" images?   Are they sysprep'd?  Were they previously joined to Active Directory, AND did they have Windows LAPS policies applied?

 

I am intrigued by your issue, please do lmk.  You're correct that Windows LAPS does not currently check the PasswordLastSet state of the target account - but we do maintain other local state (primarily under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\LAPS\Config) that if missing or inconsistent will also trigger a fresh password rotation regardless of msLAPS-PasswordExpirationTime.  So I am really curious what values are stored under the LAPS\Config key in your template images.

 

thx,

Jay