Some of our servers are non persistent and are created from a template each night. If the Password needs updating logic checked the local admin account's PasswordLastSet and AD msLAPS-PasswordExpirationTime, LAPS would work perfectly for us. The password would update and stay in sync with the Win LAPS password. Yes, I know I could disable the local admin account through policy and choose not to use LAPS on the non-persistent servers, or add a script that clears the password last change date in AD on startup. I would prefer not to have to keep separate GPOs to resolve this issue or custom hacks to resolve something that could just be built in. It could even be an optional setting in the LAPS GPO. Example: Check local admin account last password set: True.
... View more