LAPS and machine reinstalls

LAPS uses attribute ms-MCS-AdmPwdExpirationTime at computer object to remember expiration time of local administrator password. Works pretty well during lifetime of computer. But what happens when computer is reinstalled? LAPS design expects that in this case, computer account is deleted and created again. But what if you decide to reuse computer account?

In this case, when you install the computer and then install LAPS CSE on it, during first GPO refresh after install, CSE looks to computer account and sees that it is not time to reset password yet: ms-MCS-AdmPwdExpirationTime attribute still has value populated by previous computer that used this computer account. This means that the password that is on local administrator account after setup may be there until the password expiration time set by previous computer expires: up to 30 days by default.

If you want to ensure that password expires immediately, attached simple script will help you: it will connect to computer account in AD and clears the value of ms-MCS-AdmPwdExpirationTime, effectively telling LAPS that it needs to change change local administrator account password upon next GPO refresh.

Best to run the script from SCCM during Task Sequence, under Local System account: this will work because permission setup for LAPS allows computer itsellf write to ms-MCS-AdmPwdExpirationTime on own computer object.

- Jiri