LAPS and restoring Windows VMs with rotated passwords

[evilaedmin]

We use LAPS to secure the local administrator (SID 500) password of servers.

During our backup retention period, the local Administrator password will be rotated several times. We do not keep a history of these passwords.

The machine account will also be rotated within this time.

It's possible that if we go back far enough to attempt a full VM restore, it will not be accessible using AD based credentials (machine password rotated) and we will not be able to use local administrator to re-join to AD or reset machine password (local administrator password rotated via LAPS, and only the most recent is kept in AD secured via ACLs.

We presume that the need for a full VM restore is rare but let's assume it is a possibility.

Has anyone dealt with this problem and what was your approach?

[mengl]

As long as you keep the backups of your domain controllers as long as the VM backups you should be able to get the password by running an instant recovery from the dc or export/restore the computer object using the AD explorer.
Also if you disconnect the network of the restored VM you normally can login using cached (Administrator) credentials.

[soncscy]

In our shop a few clients scripted this into simple encrypted CSV files (of their own volition). My understanding was most password managers would keep a key until they're told to delete it, so I assume a proper foss manager should help. Just give it a decent description for each key and you're golden.

While I understand your concern, I have to ask, what do you expect from a Backup Application? For my money's worth, I don't want then backup app touching my credentials unless is absolutely needs to, and if that's the case, it does so as a guest, not as a privileged account. But that's just how I prefer things.

[evilaedmin]

As long as you keep the backups of your domain controllers as long as the VM backups you should be able to get the password by running an instant recovery from the dc or export/restore the computer object using the AD explorer.
Also if you disconnect the network of the restored VM you normally can login using cached (Administrator) credentials.

Thanks this is exactly what I missed; we do have image based backups of AD and Veeam Explorer for AD was not something we ever tried before. Looks like we can view/export the properties of any object from any restore point. One might say I missed the [AD] forest for the trees.