I've switched from using Windows LAPS with the Legacy LAPS group policy templates to the new Windows LAPS CSP policy which saves credentials to Entra ID. I've noticed that the last password backed up to Active Directory (AD) is still stored in the `ms-Mcs-AdmPwd` property. Do I need to manually remove this old password or will it be deleted automatically? We can't delete this property completely since we still have some devices running older hardware that relies on the old Legacy LAPS policies.
1 Answer
If your device hasn’t switched over to the new LAPS, AD will still hold onto the last password that was set. You will need to clear it out manually. There’s an uninstall process that can help you remove the stale attributes that were set during the old LAPS installation.
Thanks for the info! Since we need to retain those schema properties for some servers on WS2016, I might just clean up the properties for the devices that are now using Entra ID. I found that I can use: `Set-ADComputer -Identity $computer -Clear ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime`.