LAPS and machine reinstalls

  • Article

LAPS uses attribute ms-MCS-AdmPwdExpirationTime at computer object to remember expiration time of local administrator password. Works pretty well during lifetime of computer. But what happens when computer is reinstalled? LAPS design expects that in this case, computer account is deleted and created again. But what if you decide to reuse computer account?

In this case, when you install the computer and then install LAPS CSE on it, during first GPO refresh after install, CSE looks to computer account and sees that it is not time to reset password yet: ms-MCS-AdmPwdExpirationTime attribute still has value populated by previous computer that used this computer account. This means that the password that is on local administrator account after setup may be there until the password expiration time set by previous computer expires: up to 30 days by default.

If you want to ensure that password expires immediately, attached simple script will help you: it will connect to computer account in AD and clears the value of ms-MCS-AdmPwdExpirationTime, effectively telling LAPS that it needs to change change local administrator account password upon next GPO refresh.

Best to run the script from SCCM during Task Sequence, under Local System account: this will work because permission setup for LAPS allows computer itsellf write to ms-MCS-AdmPwdExpirationTime on own computer object.

- Jiri

Clear-PasswordTimestamp.ps1

Comments

  • Anonymous
    May 06, 2015
    Hi to confirm, instead of using this script - could this also be accomplished by using the LAPS UI fat client and clicking set button, to make it expire right away? or just manually going to the ms-MCS-AdmPwdExpirationTime attribute in AD and erasing and clearing the listed date? thanks

  • Anonymous
    May 06, 2015
    @Will: Yes, any method that resets password expiration timestamp is good - so manual way via LAPS UI or Powershell, or clearing attribute value via ADSIEDIT will work as well. Script here is for those who want to integrate password reset into installation process Jiri

  • Anonymous
    May 06, 2015
    I see - thanks. don't foresee a lot of computer object "reinstalls" so will stick with manual methods. thanks for providing these fixes though.

  • Anonymous
    May 11, 2015
    The comment has been removed

  • Anonymous
    May 11, 2015
    Correction. The URLs for SYNERGIX ADCE are ... www.synergix.com/.../active-directory-client-extensions support.synergix.com/.../202927738-Test-Scenario-Managing-Built-In-Administrator-Account-Password

  • Anonymous
    May 11, 2015
    Why does the password need to expire after being randomized?

  • Anonymous
    May 11, 2015
    You don't want to keep the same password even though it is random

  • Anonymous
    September 16, 2015
    This all makes sense, but I have another question and must be missing something obvious...if a computer leaves a domain the computer object is no longer available in ADUC, so how do you retrieve the password if you didn't make a note of it ahead of time, especially if using Bitlocker, so you can't boot off a USB or disc  to reset it? Is there a way using ADSI Edit or similar?

  • Anonymous
    October 21, 2015
    @BigMcLargehuge: attribute that stores the password of managed admin account is marked as not to removed from tombstone - so even if computer account is deleted, then password can be recovered from tombstone (that is kept for 180 days by default) Plus there is AD Recycle Bin on newer OSs that helps for recovery from deleted computer account as well Hope this helps, Jiri