Windows LAPS updates password three time in week

Windows LAPS updates password three time in week



 Oct 25 2023
2 Comments (2 New)

We have user device which reset LAPS password three times a week while the policy is set to reset every 365 days. 


The current LAPS policy is configured as follows:
Policy source: CSP
Backup directory: Azure Active Directory
Local administrator account name: local.adm
Password age in days: 365
Password complexity: 3
Password length: 12
Post authentication grace period (hours): 24
Post authentication actions: 0x1


Password updates when Event log shows below. 

The post-authentication grace period has expired per policy. The configured post-authentication actions will now be executed.
Account name: Local.adm
Account RID: 0x3E9


How can we fix this and stop resetting the password. 


@harrys80 ,


Based on the data you've presented, I would guess that you have some automation in your environment that is regularly retrieving the password and performing an authentication to the managed device, which is then triggering a now+24 hours post-authentication-action-initiated password reset.  


The PAA feature is actually on-by-default, so you have to explicitly disable it in order to keep this from happening.   You can do that by setting the grace period to zero (0) hours.  Please try that?


Alternatively, if it is unexpected that any authentication of the LAPS-managed account is happening, you might want to investigate why what is happening.


Please PM if you have further questions - I am going to close this issue out since it's more of a support issue than a feature request.




Status changed to: Completed