RaghuKeenLearner
commented
2 years ago Is there a difference between your script remediation execution from MEM and the function app?
Open AKFractal opened 2 years ago
RaghuKeenLearner
commented
2 years ago Is there a difference between your script remediation execution from MEM and the function app?
AKFractal
commented
2 years ago Im using the same script provided by ClouldLaps team
RaghuKeenLearner
commented
2 years ago What is UpdateFrequencyDays set to? Function App-> CloudLAPS -> Configuration -> UpdateFrequencyDays check this... Value of this has to match the value of script execution in Proactive Remediation. Mine is set to 1 Day in both places and all working perfectly fine.
AKFractal
commented
2 years ago Hi, I did update "UpdateFrequencyDays" to 1 day sometime back, but I can't seem to see where this set in the code itself my understanding was UpdateFrequencyDays can be set in function but isnt required in the code itself, if you can point me to the line number?
bernieyee
commented
2 years ago Hi,
I am also getting the same issue while testing with the combined script to create a scheduled task - https://msendpointmgr.com/2022/03/11/use-a-scheduled-task-to-rotate-passwords-for-cloudlaps/
Script runs fine with output in the function's output logs looking correct, and the secret is being committed to the vault successfully. However, when I try logging in or checking the local administrator's information with net user, the password last set date never changes.
I've tested twice by deleting the secret from the key vault so I can rerun the script.
I am using the default UpdateFrequencyDays from the script and in the function's configuration tab, so I don't think it's that.
I even tested by creating a new test user that's part of the local administrators group and trying it on that account and it doesn't update either.
AKFractal
commented
2 years ago Hi,
I am also getting the same issue while testing with the combined script to create a scheduled task - https://msendpointmgr.com/2022/03/11/use-a-scheduled-task-to-rotate-passwords-for-cloudlaps/
Script runs fine with output in the function's output logs looking correct, and the secret is being committed to the vault successfully. However, when I try logging in or checking the local administrator's information with net user, the password last set date never changes.
I've tested twice by deleting the secret from the key vault so I can rerun the script.
I am using the default UpdateFrequencyDays from the script and in the function's configuration tab, so I don't think it's that.
I even tested by creating a new test user that's part of the local administrators group and trying it on that account and it doesn't update either.
Hi.. I found the resolution to the problem I was having.. the issue was down to Intune device configuration Account policy which was applying redundant EAS policies.. these policies would not allow the local account password to be changed due to the policies. Can you apply CloudLaps in isolation without any Account GPO/Intune policies and confirm if it works?
bernieyee
commented
2 years ago Hi, I am also getting the same issue while testing with the combined script to create a scheduled task - https://msendpointmgr.com/2022/03/11/use-a-scheduled-task-to-rotate-passwords-for-cloudlaps/ Script runs fine with output in the function's output logs looking correct, and the secret is being committed to the vault successfully. However, when I try logging in or checking the local administrator's information with net user, the password last set date never changes. I've tested twice by deleting the secret from the key vault so I can rerun the script. I am using the default UpdateFrequencyDays from the script and in the function's configuration tab, so I don't think it's that. I even tested by creating a new test user that's part of the local administrators group and trying it on that account and it doesn't update either.
Hi.. I found the resolution to the problem I was having.. the issue was down to Intune device configuration Account policy which was applying redundant EAS policies.. these policies would not allow the local account password to be changed due to the policies. Can you apply CloudLaps in isolation without any Account GPO/Intune policies and confirm if it works?
Hi, thanks for your reply.
I did some more digging around this morning after seeing your reply. And other than chasing down potential configuration policies in Intune (we have a machine timeout one using a custom OMA-URI that supposedly applies EAS) I noticed something peculiar in the Event Viewer logs.
CloudLAPS: Failed to rotate password for 'xxx' local user account. Error message: Cannot remove the last Administrator.
Digging through the script, I found that it was the output related to the two Set-LocalUser lines. Running them individually in a different window, I was able to isolate the issue to this particular line:
Set-LocalUser -Name $LocalAdministratorName -Password $SecurePassword -PasswordNeverExpires $true -UserMayChangePassword $false -ErrorAction Stop
I changed the $false to $true for the UserMayChangePassword option and it works like a charm now.
Thanks for your help.
Hi Team... I have gone through the initial set up which has been successful. The problem occurs when the script runs locally on a device to change password. Initially I can see the password is generated and visible on the portal but that password has not been set locally on the device. The script errors with "not allowed" and the event viewer states password cannot be rotated. When running the script 2nd time round the password does not get rotated nor does a new password get generated on the portal after checking $Error variable I can see http errors. So it seems a connection is made 1st time and password is created/generated but not set locally and then any subsequent runs it will not make connection. Please do let me know what I can do to troubleshoot this further.