New (non-legacy) LAPS reset local acount password unintentionally after Apr-2023 patch

BIll Lam 25 Reputation points
2023-04-14T09:36:21.27+00:00

Summary:

Failed to login to default admin account in a Domain-joined Windows Server 2019 after applying Apr-2023 patch.

Problem:

A Windows Server 2019 domain-joined machine applied Apr-2023 patch. No legacy LAPS GPO applied to the server and no legacy LAPS agent installed in the server.

Failed to login to default admin account after the patch. Found that a new password was set by new LAPS agent shipped with Apr-2023 and uploaded to the ms-Mcs-AdmPwd attribute in Active Directory.

Expected Behavior:

Admin password must not be changed by LAPS unless relevant policy is set intentionally.

Additional Information:

We applied Microsoft LAPS schema extension to our Active Directory. The schema extension was used by legacy LAPS agent for OTHER Windows machines. We expect that admin password will only be rotated if:

  1. Legacy LAPS agent has been installed in the Windows machines; AND
  2. LAPS GPO has been applied to the Windows machines

We have double checked that NONE of the above are true for the affected Windows Server 2019 machine.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,269 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Jay Simmons 81 Reputation points Microsoft Employee
    2023-04-14T13:55:35.17+00:00

    @BIll Lam , The new LAPS feature has an emulation mode where it will now honor the legacy LAPS GPO when it is applied to the device and the legacy LAPS agent has not been installed. This is probably what you are hitting. There is a workaround you should apply to the device, please create a REG_DWORD value named "BackupDirectory" under the following key... HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\Config ...and set it to zero. This will disable the new LAPS feature from honoring the legacy LAPS GPO. After that reset the pwd on the admin account. thx, Jay