LAPS Passwords Should Always Be Removed from AD When switching to Entra password backup
In our deployment of Windows LAPS, we've discovered two scenarios where the Legacy LAPS password details persists in Active Directory even though the device is now using Windows LAPS:
- When changing a device's backup directory from Active Directory to Entra ID
- When changing a device's LAPS password type from a password to a passphrase
In both of these scenarios, the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime properties retain information about the last LAPS password before the Windows LAPS policy was processed. These properties will now need to be cleared out to remove the no longer relevant data.
This does not happen for devices that continue to backup LAPS passwords in AD and continue to use passwords instead of passphrases. Those devices clear the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime properties and then store data in the new msLAPS properties.
We believe that the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime properties should always be cleared when a new Windows LAPS policy is processed regardless of backup directory nor password type.
5 Comments
- JaySimmons
Microsoft
Hi bmkaiser00 - ok I can repro your scenario #1 (when BackupDirectory is flipped from AD -> Entra). I cannot repro your scenario #2 (flipping password complexity from password to passphrase).
Would you please re-confirm your repro on scenario #2? If you can still repro it, please run the Get-LapsDiagnostics cmdlet before and after the policy change, and upload the resultant zip files to me. If that doesn't work, I may need to work with you directly to gather some debug traces.
thx,
Jay
Hello JaySimmons - Thank you for confirming scenario #1!
After looking deeper, scenario #2 was a configuration issue on our end. We unknowingly still had the Legacy LAPS client installed on our Windows Server 2025 instances. After removing the client from those hosts, the Legacy LAPS password disappeared from AD for each computer object within 48 hours of its expiration.
- JaySimmons
That is good news.
I have edited the title of this submission to better capture the fact that the bug is on any Windows LAPS policy migration from BackupDirectory=AD to BackupDirectory=Entra.
Thanks again for reporting this.
Thank you, JaySimmons ! One possibly important detail that I left out of my original post is that we had been using Windows LAPS in legacy Microsoft LAPS emulation mode. We uninstalled the LAPS GPO CSE while continuing to use the legacy Microsoft LAPS group policy templates until this final migration where we started to use the Windows LAPS policies.
- JaySimmons
Hi bmkaiser00 ,
Thanks for pointing this out. I have created a bug for this and will get back to you.
PS IIRC, Windows LAPS will only try to remove the legacy ms-Mcs-* attributes when the legacy LAPS GPO CSE (AdmPwd.dll) s no longer installed. You probably already knew that, mentioning it just in case.
