rk-ca-2023's avatar
rk-ca-2023
Copper Contributor
Nov 10, 2023
Status:
Working on it

Revice Password Last Set logic to check local PasswordLastSet and msLAPS-PasswordExpirationTime

Some of our servers are non persistent and are created from a template each night. If the Password needs updating logic checked the local admin account's PasswordLastSet and AD msLAPS-PasswordExpirat...
rk-ca-2023's avatar
rk-ca-2023
Copper Contributor
Nov 16, 2023

Thanks for responding Jay.

 

Is your Windows LAPS policy targeting the built-in admin account, or a different account that you are creating?

Yes, targeting the built-in admin account which has been renamed by one of our security GPOs.

 

Can you provide more details about the nature of your "template" images?   Are they sysprep'd?  Were they previously joined to Active Directory, AND did they have Windows LAPS policies applied?

We are using Citrix MCS on VSphere (Machine Creation Services (MCS) / Citrix Provisioning (PVS)). Basically, updates are done on the master image, then a snapshot is created  which is used by the provisioning services. A reboot of the server will reset the server to the snapshot and every server is rebooted on a rotating basis. The local admin password will be set back to the default of the snapshot after a reboot.

 

https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/image-management.html

 

Yes sysprep’d by Citrix during machine creation.

 

Master image is joined to AD.

 

Windows LAPS policies are applied to the master image as well but this image is only started monthly to patch and apply configuration updates.

 

 

I am intrigued by your issue, please do lmk.  You're correct that Windows LAPS does not currently check the PasswordLastSet state of the target account - but we do maintain other local state (primarily under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\LAPS\Config) that if missing or inconsistent will also trigger a fresh password rotation regardless of msLAPS-PasswordExpirationTime.  So I am really curious what values are stored under the LAPS\Config key in your template images.

 

We have a custom Compliance App that checks many different things for us on all servers. One check is the local admin password change date which alerted us to the issue. We solved the issue using this hack’ish technique: https://support.citrix.com/article/CTX331247/laps-randomizing-local-admin-passwords-in-nonpersistent-environments

 

Also, the servers are Win 2019 Standard and using the included Win LAPS version of LAPS. I had to add the attribute “msLAPS-PasswordExpirationTime” to the script as it was written for the old LAPS version.

 

LAPS Config:

 

 

Could the fix be to ensure that LAPS is not configured on the master image and that these settings are blank/removed? Some of this is due to us having written polices that relate to our Cyber Security Insurance. All local admin passwords are randomized, which means that we would prefer that the master images are also is using LAPS.

 

Thank you for your help.