LAPS and machine reinstalls


LAPS uses attribute ms-MCS-AdmPwdExpirationTime at computer object to remember expiration time of local administrator password. Works pretty well during lifetime of computer. But what happens when computer is reinstalled? LAPS design expects that in this case, computer account is deleted and created again. But what if you decide to reuse computer account?

In this case, when you install the computer and then install LAPS CSE on it, during first GPO refresh after install, CSE looks to computer account and sees that it is not time to reset password yet: ms-MCS-AdmPwdExpirationTime attribute still has value populated by previous computer that used this computer account. This means that the password that is on local administrator account after setup may be there until the password expiration time set by previous computer expires: up to 30 days by default.

If you want to ensure that password expires immediately, attached simple script will help you: it will connect to computer account in AD and clears the value of ms-MCS-AdmPwdExpirationTime, effectively telling LAPS that it needs to change change local administrator account password upon next GPO refresh.

Best to run the script from SCCM during Task Sequence, under Local System account: this will work because permission setup for LAPS allows computer itsellf write to ms-MCS-AdmPwdExpirationTime on own computer object.

- Jiri

Clear-PasswordTimestamp.ps1

Comments (9)

  1. Will says:

    Hi to confirm, instead of using this script - could this also be accomplished by using the LAPS UI fat client and clicking set button, to make it expire right away? or just manually going to the ms-MCS-AdmPwdExpirationTime attribute in AD and erasing and clearing the listed date? thanks

  2. Jiri Formacek - MSFT says:

    @Will: Yes, any method that resets password expiration timestamp is good - so manual way via LAPS UI or Powershell, or clearing attribute value via ADSIEDIT will work as well.

    Script here is for those who want to integrate password reset into installation process

    Jiri

  3. Will says:

    I see - thanks. don't foresee a lot of computer object "reinstalls" so will stick with manual methods. thanks for providing these fixes though.

  4. P000jari says:

    SYNERGIX http://www.synergix.com has a feature in its software "Active Directory Client Extensions" ( ADCE ) to manage the Built-In Administrator Account Password.   The feature was introduced in ADCE 2012 version several years back and has matured in its implementation in the current version ADCE 2014.

    1. No Active Directory Schema Changes are required.  Nor there is a need to have MS SQL or IIS installed.

       - LAPS requires Schema Changes

    2. Random Password are generated by the software, encrypted and stored in Active Directory

     - LAPS stores them in clear text !

    3. Password are encrypted using unique encryption key

     - With LAPS storing password in clear text, encryption is not applicable

    4. By default, even Domain Admins cannot read encrypted value or decrypt them

     - LAPS allows Domain Admins to read clear text password.   In many large organizations, the Domain Admins role is for managing the Active Directory infrastructure and not necessarily meant to manage aspect of domain-joined Windows computers.

    5. Random password are always complex and can vary in length from 8 characters to 48 characters

    6. Password can be stored only on specific Domain Controllers.  This is achieved by leveraging Application Partition similar to DNS Application Partition and defining the DCs in replica set.

      - Clear text password implementation in LAPS is replicated on ALL domain controllers

    7. Windows XP to Windows 10 Tech Preview are supported

     - LAPS does not support Windows XP. Speculation is LAPS will drop support for Windows Server 2003 when it reached End of Extended Support.  SYNERGIX will continue to support ADCE 2014 on XP and 2003 until .NET Framework 4.0 End of Life i.e. around year 2020.

    8. Password can be stored in associated Active Directory object. For instance in a Device object

      - Password are stored in the computer object.

    For additional information, please check out these product URLs

    http://www.synergix.com/products/active-directory-client-extensions/

    support.microsoft.com/.../202927738-Test-Scenario-Managing-Built-In-Administrator-Account-Password

  5. Anonymous says:

    Why does the password need to expire after being randomized?

  6. Anonymous says:

    You don't want to keep the same password even though it is random

  7. BigMcLargehuge says:

    This all makes sense, but I have another question and must be missing something obvious...if a computer leaves a domain the computer object is no longer available in ADUC, so how do you retrieve the password if you didn't make a note of it ahead of time, especially if using Bitlocker, so you can't boot off a USB or disc  to reset it? Is there a way using ADSI Edit or similar?

  8. @BigMcLargehuge: attribute that stores the password of managed admin account is marked as not to removed from tombstone - so even if computer account is deleted, then password can be recovered from tombstone (that is kept for 180 days by default)

    Plus there is AD Recycle Bin on newer OSs that helps for recovery from deleted computer account as well

    Hope this helps,

    Jiri

Skip to main content