LAPS and MS14-025

This short post is to remind you few things regarding coexistence of LAPS and local account password management via Group Policy Preferences (GPP) after installing hotfix 2928120  

Management of local account passwords via GPP was not best thing to do from security perspective, so this functionality was disabled by hotfix mentioned above.

However, installation of hotfix just disbles ability of making changes to relevant parts of GPP, but keeps current settings in place, so as not to disrupt  processes that may be in place and rely on settings distributed by GPP.

When installing LAPS into the environment, people may forgot to remove local administrator password management settings from GPP, thinking it was removed by installation of the hotfix mentioned above. This results in having two independent processes managing password of local administrator account and invalidates password that LAPS stores in AD in computer account.

So when installing LAPS, please always make sure that local administrator password management settings are removed from GPP prior deploying LAPS.