Set-LapsADPasswordExpirationTime

Sets the Windows Local Administrator Password Solution (LAPS) password expiration timestamp on an Active Directory (AD) computer or domain controller object.

Syntax

Set-LapsADPasswordExpirationTime
   [-Credential <PSCredential>]
   -Identity <String[]>
   [-WhenEffective <DateTime>]
   [-Domain <String>]
   [-DomainController <String>]
   [<CommonParameters>]

Description

The Set-LapsADPasswordExpirationTime cmdlet is used by administrators to configure the LAPS password expiration time on an AD computer or domain controller object.

Tip

Running this cmdlet sets the LAPS password expiration time on the AD computer or domain controller object, but the new expiration time isn't honored until the next time the target device executes a LAPS policy processing cycle.

Examples

Example 1

Set-LapsADPasswordExpirationTime -Identity lapsClient

DistinguishedName                           Status
-----------------                           ------
CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com  PasswordReset

This example shows setting the LAPS password expiration time to the current time, which expires the password immediately.

Example 2

Set-LapsADPasswordExpirationTime -Identity lapsClient -WhenEffective (Get-Date -Date "07/04/2023 13:00:00")

DistinguishedName                           Status
-----------------                           ------
CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com  PasswordReset

This examples show setting the LAPS password expiration time to a specific date.

Example 3

Set-LapsADPasswordExpirationTime -Identity lapsClient -WhenEffective ([DateTime]::Now.AddDays(1))

DistinguishedName                           Status
-----------------                           ------
CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com  PasswordReset

This examples show setting the LAPS password expiration time to one day in the future.

Parameters

-Credential

Specifies the credentials to use when updating AD. If not specified, the current user's credentials are used.

Type:PSCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Domain

Specifies the name of the domain to connect to.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DomainController

Specifies the name of the domain controller to connect to.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Identity

Specifies the name of the computer or domain controller object to set the LAPS password expiration time on.

This parameter accepts several different name formats that influence the criteria used when searching AD for the target device. The supported name formats are as follows:

  • distinguishedName (begins with a CN=)
  • samAccountName (begins with a $)
  • dnsHostName (contains at least one . character)
  • name (for all other inputs)
Type:String[]
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-WhenEffective

Specifies the new LAPS password expiration time. If not specified, the current time is used, which expires the password is immediately.

Type:DateTime
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String[]

Outputs

Object