Use LAPS in Local Admin Passwords for Non-persistent Environments

---

Instructions

There are many third-party solutions that implement this functionality, but there is one solution that is available to everyone – Local Administrator Passwords Solution (LAPS) from Microsoft. LAPS is using Group Policy engine (through new client-side extension) to automatically generate random password on each of the domain computers.

LAPS is a simple, elegant, and fully functional solution.
LAPS can be implemented on MCS and PVS environments. 

 

LAPS
Microsoft released a newer version of LAPS in 2023 supporting additional environments and configurations.
This release has included PowerShell commandlets for LAPS which can be utilized in non persistent environments.

https://learn.microsoft.com/en-us/powershell/module/laps/?view=windowsserver2022-ps

Either of below commandlets could be included in a local startup script applied to non persistent VDAs MCS master VMs or in PVS writeable vdisks.

When configured in a local startup script, this would ensure the local passwords are rotated each time after startup.
https://learn.microsoft.com/en-us/powershell/module/laps/set-lapsadpasswordexpirationtime?view=windowsserver2022-ps
https://learn.microsoft.com/en-us/powershell/module/laps/reset-lapspassword?view=windowsserver2022-ps

Reset-LapsPassword 

This example forces immediate rotation of the managed local account. 



Legacy Laps:
LAPS released in 2016, guidance was detailed here.
https://www.citrix.com/blogs/2017/12/12/password-wars-randomizing-local-admin-passwords-in-non-persistent-environments/

In summary, on shut down of a non persistent VDA use a powershell script to set the password as expired.
Which means on next start up of the non persistent VDA LAPS will rotate the password.

Write-Host "Retrieve current machine account" 
$filter = "(&(objectCategory=computer)(objectClass=computer)(cn=$env:COMPUTERNAME))"
$Object = ([adsisearcher]$filter).FindOne().GetDirectoryEntry()

Write-Host "Reset the password expiration timer to 0"
$Object.psbase.InvokeSet("ms-Mcs-AdmPwdExpirationTime", 0)
Write-Host "Save changes to Active Directory object" 
$Object.SetInfo()

 

 

 

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

https://learn.microsoft.com/en-us/powershell/module/laps/reset-lapspassword?view=windowsserver2022-ps

https://www.citrix.com/blogs/2017/12/12/password-wars-randomizing-local-admin-passwords-in-non-persistent-environments/