Policy

Post-authentication actions

Microsoft Windows

Back to LAPSBack to main
Post-authentication actions
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
System > LAPS
Supported on
At least Microsoft Windows 10 or later

Supported OS tags: Windows10

This policy configures post-authentication actions which will be executed after detecting an authentication by the managed account. Grace period: specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. If this setting is enabled and greater than zero, the specified post-authentication actions will be executed upon expiration of the grace period. If this setting is disabled or not configured, the specified post-authentication actions will be executed after a default 24 hour grace period. If this setting is equal to zero, no post-authentication actions will be executed. Actions: specifies the actions to take upon expiration of the grace period. Reset password: upon expiration of the grace period, the managed account password is reset. Reset the password and logoff the managed account: upon expiration of the grace period, the managed account password is reset and any interactive logon sessions using the managed account are logged off. Reset the password and reboot: upon expiration of the grace period, the managed account password is reset and the managed device is rebooted. Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated. (NOTE: after any interactive logon sessions are terminated there may still be other authenticated sessions in use by the managed account. The only robust way to ensure that the previous password is longer in use is to reboot the device.) If this setting is disabled or not configured, post-authentication actions will default to "Reset the password and logoff the managed account". Note: the DSRM account on domain controllers cannot be configured for post-authentication actions. This policy has no effect on domain controllers and will be ignored even if configured for a DC. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.

Internal name
LAPS_PostAuthenticationActions
Policy ID
4b628228bbe3
Elements
2

Registry values

How enabled and disabled states update the registry.

No explicit registry values are set for enabled or disabled states.

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
Grace period (hours):
ID LAPS_PostAuthenticationResetDelay_INT
decimal
Path
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS
Value name
PostAuthenticationResetDelay
Type
REG_DWORD
Range: 0 to 24
Computer
Actions:
ID LAPS_PostAuthenticationActions
enum
Path
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS
Value name
PostAuthenticationActions
Type
REG_DWORD
Options: Disabled - take no actions (0), Reset the password (1), Reset the password and logoff the managed account (3), Reset the password and reboot the device (5), Reset the password, logoff the managed account, and terminate any remaining processes (11)
Grace period (hours):
Computer · Type decimal
Registry mapping
Path
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS
Value name
PostAuthenticationResetDelay
Type
REG_DWORD
Details
Range: 0 to 24
Actions:
Computer · Type enum
Registry mapping
Path
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS
Value name
PostAuthenticationActions
Type
REG_DWORD
Details
Options: Disabled - take no actions (0), Reset the password (1), Reset the password and logoff the managed account (3), Reset the password and reboot the device (5), Reset the password, logoff the managed account, and terminate any remaining processes (11)