PSD icon indicating copy to clipboard operation
PSD copied to clipboard
verified publisher icon FriendsOfMDT

LAPS workarround

Open lyonelf opened this issue 10 months ago • 5 comments

Hi,

Not really a issue but an addon request.

How can we do to execute tasks sequences with Active Directory LAPS activated ?

1: using another local admin user

2: delete the computer during WinPE pre 1st boot Windows

3: ?

In this cases, how to do that ?

lyonelf avatar Feb 21 '25 14:02 lyonelf

This process is no different when using MDT. MDT uses Autologon registry keys for the post Task Sequence startup process, where SCCM uses an agent and SYSTEM account. Like MDT, and in my experience, in PSD when deploying Domain joined devices, you should join a device to an OU that has no LAPS policy or other restrictive policies for that matter, then during the end you can move the device to a normal OU.

You will find several blog on this on the internet. Use Bing... :grin: :wink:

PowerShellCrack avatar Mar 14 '25 17:03 PowerShellCrack

Actually i stay in MDT but i've found a method to reset LAPS. Delete and Re-add the computer.
Mixed with a recover for domain step and another to auto move my computer in the correct OU

I share you the scripts:

Delete, 1st step in State Restore step:

Récupérer le nom du PC local

$computerName = $env:COMPUTERNAME

Définir les informations d'identification

$username = "DOMAINE" $password = ""

Créer l'objet d'identification

$securePassword = ConvertTo-SecureString $password -AsPlainText -Force $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $securePassword

Se connecter à l'AD

$domain = "LDAP://IP or DNS server AD"
$domainEntry = New-Object System.DirectoryServices.DirectoryEntry($domain, $username, $password)

Rechercher le PC

$searcher = New-Object System.DirectoryServices.DirectorySearcher($domainEntry) $searcher.Filter = "(&(objectCategory=computer)(name=$computerName))" $computer = $searcher.FindOne()

if ($computer) { # Supprimer le PC $computerEntry = $computer.GetDirectoryEntry() $computerEntry.DeleteTree() Write-Host "Le PC $computerName a été supprimé de l'AD." } else { Write-Host "Le PC $computerName n'a pas été trouvé dans l'AD." }

ADDin the middle of state restore step:

Paramètres

$ComputerName = $env:COMPUTERNAME $OUPath = "OU=XXX,OU=Postes de Travail,OU=Domaine,DC=domaine,DC=local" $UserAccount = "DOMAINE" $UserPassword = "" $DomainController = "masterADserver.domaine"

Créer l'objet credential pour l'utilisateur

$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UserAccount, (ConvertTo-SecureString $UserPassword -AsPlainText -Force)

Ajouter l'ordinateur dans l'AD en spécifiant le contrôleur de domaine

Add-Computer -ComputerName $ComputerName -DomainName "XXXX" -OUPath $OUPath -Credential $Credential -Server $DomainController

Image

lyonelf avatar Mar 18 '25 08:03 lyonelf

Interesting. How would that affect large Domain replication? Wouldn't it be easier to join a "build OU" with no LAPS policy and then do a scripted OU move after? I guess if it works...

PowerShellCrack avatar Mar 22 '25 12:03 PowerShellCrack

We use the REST PS API to move the object, there are however other ways to do it as well, I'll make sure we document the workarounds for it

DeploymentBunny avatar Mar 25 '25 19:03 DeploymentBunny

Interesting. How would that affect large Domain replication? Wouldn't it be easier to join a "build OU" with no LAPS policy and then do a scripted OU move after? I guess if it works...

Sorry for the delay, i've never received a notification.

The problem is for a computer that is already added in the AD. The LAPS pwd is already set, so moving to an OU without LAPS policy is not enought.

Or you may tweak a script to delay the moment when the PC is coming in the AD

lyonelf avatar Sep 09 '25 08:09 lyonelf