Hi there,
would it be possible to include a feature that allows passwords to remain valid till the next rotation specified through PasswordAgeDays after they have been used?
We miss this feature from legacy LAPS. Unfortunately we cannot use it with our new azure AD joined devices.
If we leave PostAuthenticationResetDelay unconfigured the 24hour cycle is really way too tight. Leaving it at 0 makes accounts unusable after authenticating till the next scheduled or manual rotation("The password has to be changed before this account can be used").
Cheers
8 Comments
- JaySimmons
Microsoft
FeroG440 - didn't hear back from you so I am marking this completed. Feel free to PM me if you come up with some more data or repro steps.
- JaySimmonsStatus changed:Needs more infotoCompleted
- JaySimmons
FeroG440 - please let me know if you have some new info on this. I plan to close this issue out soon (but you can always PM if needed).
Cliff_FisherStatus changed:Working on ittoNeeds more info- JaySimmons
FeroG440 - any updates on the repro steps?
Hello JaySimmons ,
thank you a lot for your answer and time.
I will write down each step to reproduce the issue I was writing about. I will keep this updated.
- JaySimmonsStatus changed:NewtoWorking on it
- JaySimmons
Hi FeroG440 ,
I think you may be combining two distinct issues.
The first issue I think you are describing, is that the password is rotated for the LAPS-managed account immediately after auth when ResetDelay=0? I cannot repro that behavior.
The second issue I think you are describing is a known bug where if the password for the LAPS-managed account is older than the local device's MaximumPasswordAge policy, attempted authentication results in the pwd-must-be-changed error.
As I said, I can't repro the first issue as described. Please feel free to PM me with more details on that if I've misunderstood.
I am working on a fix for the second issue and we will be shipping that to all supported platforms relatively soon (I can't say at this time when the fix will ship).
thx,
Jay
