LAPS password expires incorrect by GPO

Question

We use LAPS for remote laptops that are used as Business continuity for disasters or weather etc. In order to use them we use LAPS and the DC will store the password and we set the expiration as valid for 1 year and that part is great, The issue comes in with GPO, We have a GPO that is for password expiration (set to 42 days) and even though LAPS GPO is set for 1 year the laptops wil not allow logon with that LAPS password after 42 days. I ran a powershell on one of the laptops and confirmed that the laptop has the password set to expire at 42 days. GPO for LAPS says 1 year. We use the laps password for 1st log on, It is a local machine account (non admin) and laps is told to set the password for that account (exmple .\rescue123) AD/DC shows valid for 1 year but the machine will say it is expired at 42 days and will not allow login using that password. So what I have been doing is changing the expiration (large integer) to a date in the past and then doing a GP update to set the new password before the laptop leaves the IT building. Any ideas on how to make LAPS password or exclude a local machine account from the 42 day set by GPO?

Answer 1

Hi there,

This issue can occur if the GPO cannot be updated properly. Open an elevated CMD . Type gpupdate /force and press enter. Wait for the Computer and User policy to update and then reboot and check the machine.

Also check if the GPO are applying properly or is their any other GPO with priority taking over this expiration GPO.

The below thread discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue. https://learn.microsoft.com/en-us/answers/questions/373150/laps-written-password-doesn39t-work.html

----------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer--

Answer 2

Thanks,
The issue occurs even if with GPupdate /force. I can go into the DC and change the expiration to a date further then 1 year in the past and run gpupdate and it will update the password in DC and the machine . If however, the password (laps is set to 1 year) is more then 42 days old and the user enters that recovery password for the .\rescue account to log into the laptop for the first time, it will say the password is expired and must be changed but it will not allow them to change it. They then have to bring it in , I change the attribute mc-Mcs-AdmPWD expire to a date older then 1 year (for example 132856932200000000 that is 1/3/2022) it will then on next GPUpdate set a new ADMPWD in the attributes on the DC and they can use that password to log in the first time. Currently the way this is working and what we use it for is we provide them the laptop, we use DUO, and netextender and LAPS to manage a local user (.\rescue) they log in using that, they connect to there wifi, they then connect to netextender, once they are connected they do a switch user, then enter there domain credentials, it caches those credentials to the machine, then they can log back into the laptop without using the .\rescue and connect to the netextender. Problem is if the laptop has been updated and ready to provide to a user for BC purposes and it has been sitting in the server room for more then 42 days that password will not work and that is why we set the LAPS to 1 year.

My thought was that Domain group policy is not only effecting the domain users but also the local rescue account and overrides the LAPS GPO. But not sure how to get GP to not effect the rescue account when it comes to the password policy and let laps manage that one but still have password group policy enforce the 42 day policy for domain users.