Policy
Post-authentication actions
This policy configures post-authentication actions which will be executed after detecting an authentication by the managed account. Grace period: specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. If this setting is enabled and greater than zero, the specified post-authentication actions will be executed upon expiration of the grace period. If this setting is disabled or not configured, the specified post-authentication actions will be executed after a default 24 hour grace period. If this setting is equal to zero, no post-authentication actions will be executed. Actions: specifies the actions to take upon expiration of the grace period. Reset password: upon expiration of the grace period, the managed account password is reset. Reset the password and logoff the managed account: upon expiration of the grace period, the managed account password is reset and any interactive logon sessions using the managed account are logged off. Reset the password and reboot: upon expiration of the grace period, the managed account password is reset and the managed device is rebooted. Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated. (NOTE: after any interactive logon sessions are terminated there may still be other authenticated sessions in use by the managed account. The only robust way to ensure that the previous password is longer in use is to reboot the device.) If this setting is disabled or not configured, post-authentication actions will default to "Reset the password and logoff the managed account". Note: the DSRM account on domain controllers cannot be configured for post-authentication actions. This policy has no effect on domain controllers and will be ignored even if configured for a DC. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
4b628228bbe3 LAPS_PostAuthenticationActions Registry
Copy registry mappings
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PostAuthenticationResetDelayHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PostAuthenticationActionsPolicy notes
This policy configures post-authentication actions which will be executed after detecting an authentication by the managed account. Grace period: specifies the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions. If this setting is enabled and greater than zero, the specified post-authentication actions will be executed upon expiration of the grace period. If this setting is disabled or not configured, the specified post-authentication actions will be executed after a default 24 hour grace period. If this setting is equal to zero, no post-authentication actions will be executed. Actions: specifies the actions to take upon expiration of the grace period. Reset password: upon expiration of the grace period, the managed account password is reset. Reset the password and logoff the managed account: upon expiration of the grace period, the managed account password is reset and any interactive logon sessions using the managed account are logged off. Reset the password and reboot: upon expiration of the grace period, the managed account password is reset and the managed device is rebooted. Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated. (NOTE: after any interactive logon sessions are terminated there may still be other authenticated sessions in use by the managed account. The only robust way to ensure that the previous password is longer in use is to reboot the device.) If this setting is disabled or not configured, post-authentication actions will default to "Reset the password and logoff the managed account". Note: the DSRM account on domain controllers cannot be configured for post-authentication actions. This policy has no effect on domain controllers and will be ignored even if configured for a DC. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.