LAPS GPO Setting Confusion RRS feed

  • Question

  • We're in the process of testing the implementation of LAPS in our environment. I'm confused by the following GPO LAPS setting: 


    Do not allow password expiration time longer than required by policy


    When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy.

    When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy.


    So if you disable or don't configure this setting, it says it allows the password expiration to go longer than the Password Settings policy. If that's the case, then what is the point of setting the password age in the "Password Settings" policy? Shouldn't this be the default behavior anyway?

    I'm just not clear on the ramifications of Enabling or not setting this policy, because the enabled description is what I would expect the default setting to be if "Password Settings" are configured.

    Thursday, September 21, 2017 9:20 PM

All replies