Deploying Microsoft LAPS – Non-Persistent VDI

 

Deploying Microsoft LAPS to a non-persistent VDI environment requires a slightly difference approach to traditional machines, especially for those environments that force a reboot after user log off (e.g. Citrix XenDesktop using PVS).

Issue

  1. Computer Boots up for the first time after LAPS installation and GPO configuration
  2. LAPS CSE views ms-Mcs-AdmPwdExpirationTime when Group Policy is refreshed which will read 0 as a password has never been set for given computer
  3. New password is set on the Computer, written to Active Directory and the ms-Mcs-AdmPwdExpirationTime attribute is updated giving an expiry date for the password (as per the Group Policy “password age (days)” setting)
  4. Computer is restarted and boots the golden image
  5. LAPS CSE views ms-Mcs-AdmPwdExpirationTime when Group Policy is refreshed, the value is now populated with an expiry time for the password set in step 2
  6. Computer does not update password
  7. LAPS is not functional

Fix

Originally I looked at clearing the ms-Mcs-AdmPwdExpirationTime attribute on shutdown with VBS.

1
2
3
4
5
6
Set objSysInfo = CreateObject("ADSystemInfo")
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
' Change ms-Mcs-AdmPwdExpirationTime attribute to 0
objComputer.Put "ms-Mcs-AdmPwdExpirationTime", "0"
' Write change to AD
objComputer.SetInfo

This can also be accomplished with PowerShell but requires you install the Remote Server Administration Tools which wasn’t desirable. Running the script on shutdown was unsuccessful, due to an issue with how Citrix Delivery Controllers manage the shutdown process of the virtual desktops, essentially preventing the script from running. More information here: Logoff Script is terminated early on XenDesktop.  This may not be an issue for you if you are using another VDI solution.

After trying a few other methods, the following has proven to be reliable. The VBS script sets the ms-Mcs-AdmPwdExpirationTime attribute to 0, waits 3 minutes and then runs GPUpdate to trigger a password update. The 3 minute pause is insurance that the ms-Mcs-AdmPwdExpirationTime change has been replicated to other DCs within the same site. With this method you are essentially setting a new password and expiry date at every startup, maybe Microsoft will add this as a feature in a future release of LAPS.

Add this to a startup script either in Group Policy or locally on the golden image with gpedit.msc and enjoy LAPS within your VDI environment!

LAPSVDI.vbs

1
2
3
4
5
6
7
8
9
10
11
12
13
Set objSysInfo = CreateObject("ADSystemInfo")
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
' Change ms-Mcs-AdmPwdExpirationTime attribute to 0
objComputer.Put "ms-Mcs-AdmPwdExpirationTime", "0"
' Write change to AD
objComputer.SetInfo
' Sleep 3 minutes
WScript.Sleep(180000)
Set WshShell = CreateObject("Wscript.Shell")
' Run GPUpdate force and target only the computer policies
Result = WshShell.Run("cmd /c echo n | gpupdate /target:computer /force",0,true)
' Exit with code
Wscript.Quit(Result)
Read 83 times
Dylan Austin

About:

Whenever I have a problem, I sing. Then I realize my voice is worse than my problem.

Latest Tech News

Top
We use cookies to improve our website. By continuing to use this website, you are giving consent to cookies being used. More details…