Deploying Microsoft LAPS to a non-persistent VDI environment requires a slightly difference approach to traditional machines, especially for those environments that force a reboot after user log off (e.g. Citrix XenDesktop using PVS).
- Computer Boots up for the first time after LAPS installation and GPO configuration
- LAPS CSE views ms-Mcs-AdmPwdExpirationTime when Group Policy is refreshed which will read 0 as a password has never been set for given computer
- New password is set on the Computer, written to Active Directory and the ms-Mcs-AdmPwdExpirationTime attribute is updated giving an expiry date for the password (as per the Group Policy “password age (days)” setting)
- Computer is restarted and boots the golden image
- LAPS CSE views ms-Mcs-AdmPwdExpirationTime when Group Policy is refreshed, the value is now populated with an expiry time for the password set in step 2
- Computer does not update password
- LAPS is not functional
Originally I looked at clearing the ms-Mcs-AdmPwdExpirationTime attribute on shutdown with VBS.
Set objSysInfo = CreateObject("ADSystemInfo") Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName) ' Change ms-Mcs-AdmPwdExpirationTime attribute to 0 objComputer.Put "ms-Mcs-AdmPwdExpirationTime", "0" ' Write change to AD objComputer.SetInfo
This can also be accomplished with PowerShell but requires you install the Remote Server Administration Tools which wasn’t desirable. Running the script on shutdown was unsuccessful, due to an issue with how Citrix Delivery Controllers manage the shutdown process of the virtual desktops, essentially preventing the script from running. More information here: Logoff Script is terminated early on XenDesktop. This may not be an issue for you if you are using another VDI solution.
After trying a few other methods, the following has proven to be reliable. The VBS script sets the ms-Mcs-AdmPwdExpirationTime attribute to 0, waits 3 minutes and then runs GPUpdate to trigger a password update. The 3 minute pause is insurance that the ms-Mcs-AdmPwdExpirationTime change has been replicated to other DCs within the same site. With this method you are essentially setting a new password and expiry date at every startup, maybe Microsoft will add this as a feature in a future release of LAPS.
Add this to a startup script either in Group Policy or locally on the golden image with gpedit.msc and enjoy LAPS within your VDI environment!
Set objSysInfo = CreateObject("ADSystemInfo") Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName) ' Change ms-Mcs-AdmPwdExpirationTime attribute to 0 objComputer.Put "ms-Mcs-AdmPwdExpirationTime", "0" ' Write change to AD objComputer.SetInfo ' Sleep 3 minutes WScript.Sleep(180000) Set WshShell = CreateObject("Wscript.Shell") ' Run GPUpdate force and target only the computer policies Result = WshShell.Run("cmd /c echo n | gpupdate /target:computer /force",0,true) ' Exit with code Wscript.Quit(Result)