We have user device which reset LAPS password three times a week while the policy is set to reset every 365 days.
The current LAPS policy is configured as follows:
Policy source: CSP
Backup directory: Azure Active Directory
Local administrator account name: local.adm
Password age in days: 365
Password complexity: 3
Password length: 12
Post authentication grace period (hours): 24
Post authentication actions: 0x1
Password updates when Event log shows below.
The post-authentication grace period has expired per policy. The configured post-authentication actions will now be executed.
Account name: Local.adm
Account RID: 0x3E9
How can we fix this and stop resetting the password.
2 Comments
- JaySimmons
Microsoft
Status changed:NewtoCompleted - JaySimmons
harrys80 ,
Based on the data you've presented, I would guess that you have some automation in your environment that is regularly retrieving the password and performing an authentication to the managed device, which is then triggering a now+24 hours post-authentication-action-initiated password reset.
The PAA feature is actually on-by-default, so you have to explicitly disable it in order to keep this from happening. You can do that by setting the grace period to zero (0) hours. Please try that?
Alternatively, if it is unexpected that any authentication of the LAPS-managed account is happening, you might want to investigate why what is happening.
Please PM if you have further questions - I am going to close this issue out since it's more of a support issue than a feature request.
thanks,
Jay
