Policy
Post-authentication actions
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10
This policy configures post-authentication actions which will be executed after detecting an authentication by the managed account. Grace period: specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. If this setting is enabled and greater than zero, the specified post-authentication actions will be executed upon expiration of the grace period. If this setting is disabled or not configured, the specified post-authentication actions will be executed after a default 24 hour grace period. If this setting is equal to zero, no post-authentication actions will be executed. Actions: specifies the actions to take upon expiration of the grace period. Reset password: upon expiration of the grace period, the managed account password is reset. Reset the password and logoff the managed account: upon expiration of the grace period, the managed account password is reset and any interactive logon sessions using the managed account are logged off. Reset the password and reboot: upon expiration of the grace period, the managed account password is reset and the managed device is rebooted. Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated. (NOTE: after any interactive logon sessions are terminated there may still be other authenticated sessions in use by the managed account. The only robust way to ensure that the previous password is longer in use is to reboot the device.) If this setting is disabled or not configured, post-authentication actions will default to "Reset the password and logoff the managed account". Note: the DSRM account on domain controllers cannot be configured for post-authentication actions. This policy has no effect on domain controllers and will be ignored even if configured for a DC. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Grace period (hours): ID LAPS_PostAuthenticationResetDelay_INT | decimal | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PostAuthenticationResetDelay Type REG_DWORD | Range: 0 to 24 |
Actions: ID LAPS_PostAuthenticationActions | enum | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PostAuthenticationActions Type REG_DWORD | Options: Disabled - take no actions (0), Reset the password (1), Reset the password and logoff the managed account (3), Reset the password and reboot the device (5), Reset the password, logoff the managed account, and terminate any remaining processes (11) |
Other policies in this category
Explore related policies at the same level.
- ComputerConfigure authorized password decryptorsAt least Microsoft Windows 10 or later
- ComputerConfigure automatic account managementAt least Microsoft Windows 10 or later
- ComputerConfigure password backup directoryAt least Microsoft Windows 10 or later
- ComputerConfigure size of encrypted password historyAt least Microsoft Windows 10 or later
- ComputerDo not allow password expiration time longer than required by policyAt least Microsoft Windows 10 or later
- ComputerEnable password backup for DSRM accountsAt least Microsoft Windows 10 or later
- ComputerEnable password encryptionAt least Microsoft Windows 10 or later
- ComputerName of administrator account to manageAt least Microsoft Windows 10 or later
- ComputerPassword SettingsAt least Microsoft Windows 10 or later