none
LAPS - Minimum pasword not working

    Question

  • We are testing the use of LAPS. We have set up the GPO to use a minimum password of 1 but the expiration is not changing from 30 days. So in turn the password is not changing on the schedule we would like.

    Has anyone had any issue with this?

    Thanks

    Paul


    Paul Glickenhaus

    Thursday, January 05, 2017 9:25 PM

All replies

  • Hi Paul,
    Please check if following article will help you:
    https://dirteam.com/sander/2015/05/02/security-thoughts-microsoft-local-administrator-password-solution-laps-kb3062591/
    From article:
    “To manage password settings, first, enable the Enable local admin password management Group Policy setting. Its default setting is Not Configured.
    Then, open the Password Settings Group Policy setting and select appropriate settings for the local administrator passwords. Options include password complexity, password length and password age (in days).
    The Do not allow password expiration time longer than required by policy Group Policy setting, when enabled, will make the Local Administrator Password Solution (LAPS) change passwords before they expire (as configured in the previous Password Settings Group Policy setting).”
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 06, 2017 6:17 AM
    Moderator
  • Am 05.01.2017 um 22:25 schrieb PJGLICK1:
    > We are testing the use of LAPS. We have set up the GPO to use a
    > minimum password of 1 [...]  Has anyone had any issue with this?
     
    No, no one. Anyone else read the EXPLAIN of the Policy ...
     
    Password Minimum: 8 characters
     
    To allow 1 character you need to edit the admpwd.admx, but even if you
    do, the CSE/DLL will not use this settings and I guess it will ignore
    all others aswell. Thats, why it does not work.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, January 06, 2017 11:46 AM
  • I apologize, I mistype. I meant minimum password age.

    Paul


    Paul Glickenhaus

    Friday, January 06, 2017 1:08 PM
  • Am 06.01.2017 um 14:08 schrieb PJGLICK1:
    > I apologize, I mistype. I meant minimum password age.
     
    The Admin password is written into AD?
    The Password age is written correctly into AD?
    You can reset the password age to yesterday and it should be change by
    the next gpupdate?
     
    Enable verbose logging on the client and take a look inside the eventlog.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}
    "ExtensionDebugLevel"=2 (Dword)
     
    See LAPS_OperationsGuide.docx, 5.1.2 for the Event IDs.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, January 06, 2017 1:27 PM
  • The issue we are seeing is that after a gpupdate, post policy change, the password expiration date is not changing? The default setting was used initially which is 30 days. We are trying to move it to 1 or 2 days to test.

    Will the new policy setting not take effect until it reaches its currently assigned expiration date and will then expire based on the new policy setting?

    We are trying to change via GPO no the LAPS console.


    Paul Glickenhaus

    Friday, January 06, 2017 6:45 PM
  • Hi,
     
    Am 06.01.2017 um 19:45 schrieb PJGLICK1:
    > The issue we are seeing is that after a gpupdate, post policy
    > change, the password expiration date is not changing? The default
    > setting was used initially which is 30 days. We are trying to move it
    > to 1 or 2 days to test.
     
    Thats the expected behavior. The password expiry date inside AD is only
    generated on time when password is set. It´s the same behavior like in
    domain password policy.
     
    Your user creates a new password and the expiration is set to e.g "30",
    you change it to 180 days. The passward will expire in 30 days, the user
    needs to change it in 30 days, but then the NEW expiration is set to
    +180 days.
     
    Laps behaves the same.
    If you change the time to "1" you need to have a password change to
    create a new expiration date. Otherwise the 30 day from the last time
    password set is still used.
     
    > We are trying to change via GPO no the LAPS console.
     
    You need to set the time to an expired date, to "force" a new password
    creation. Use the UI for it.
     
    One idea of it is to create "1 day admins".
    Your users needs the local admin password, for whatever reason and he es
    allowed to get it. Now you can provide the password and set the
    expiration date to tomorrow. That will generate a new password tomorrow
    and the user can only use the one you gave him for one day.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, January 06, 2017 7:12 PM