none
LAPS generated password (clear text on attribute) not working

    Question

  • Please help!

    -LAPS is setup to our environment.

    -Password generated and permissions are applied.

    -GPO setup and applied and LAPS CSE applied to client machines.

    -We have our own local admin account.

    -Password on attribute shows but cannot login to the computer using that password. Set a different expiration but didn't help.

    PLEASE HELP!


    • Edited by RENFEL Friday, February 03, 2017 8:33 PM language i guess
    Friday, February 03, 2017 8:32 PM

All replies

  • Hi,
     
    Am 03.02.2017 um 21:32 schrieb RENFEL:
    > -Password on attribute shows but cannot login to the computer using that
    > password. Set a different expiration but didn't help.
     
    If this password does not work, there is usually still a OLD GPO alive
    using the "Local Users and Computers" - User - Password (cpassword in xml)
     
    MS14-25 made it unavailable in GPEditor, but the CSE still accept it on
    the client.
     
    Find it and delete it:
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    gp-pack PaT - Privacy and Telemetry on Windows 10
     
    Friday, February 03, 2017 9:12 PM
  • Hello Mark,

    I appreciate for getting back to me.

    I'm not sure what you mean by using the "Local Users and Computers" - User - Password (<g class="gr_ gr_9 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="9" id="9">cpassword</g> in <g class="gr_ gr_17 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="17" id="17">xml</g>)


    • Edited by RENFEL Monday, February 06, 2017 3:48 PM
    Monday, February 06, 2017 3:47 PM
  • Hi
     
    Am 06.02.2017 um 16:47 schrieb RENFEL:
    > I'm not sure what you mean by using the "Local Users and Computers"
     
    Group Policy Preferences.
     
    If you have used it in the past, the value inside the configuration is
    still present and the client imports it. MS14-025 only manipulates the
    UI, to disable this setting for "future" use ...
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    gp-pack PaT - Privacy and Telemetry on Windows 10
     
    Monday, February 06, 2017 5:55 PM
  • Yes, I have used that. Would you able to provide me your own steps? I appreciate the link and info you provided me and have read it.

    I have deleted that GPO (not applied to OU)-

    Please advise if;

    1st, I should delete the Local Admin account?

    2nd, make changes to XML? if yes, where to find that?

    Monday, February 06, 2017 6:34 PM
  • Hi,
     
    Am 06.02.2017 um 19:34 schrieb RENFEL:
    > I have deleted that GPO (not applied to OU)-
     
    If you deleted the GPO, there is no longer a system, that rights every
    90 minutes the password.
    Now, LAPS can handle it, BUT: Laps "thinks" it is working perfectly,
    because it wrote the password into attribute and did everything fine.
     
    You need to change the password date and set the date to an expired
    date, to let LAPS run again.
     
    It´s like you had changed the password manually. LAPS does not check the
    change of password. LAPS change checks the date, where itself set the
    password the last time.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    gp-pack PaT - Privacy and Telemetry on Windows 10
     
    Tuesday, February 07, 2017 11:04 AM
  • Hi,
     
    Am 06.02.2017 um 19:34 schrieb RENFEL:
    > I have deleted that GPO (not applied to OU)-
     
    If you deleted the GPO, there is no longer a system, that rights every
    90 minutes the password.
    Now, LAPS can handle it, BUT: Laps "thinks" it is working perfectly,
    because it wrote the password into attribute and did everything fine.
     
    You need to change the password date and set the date to an expired
    date, to let LAPS run again.
     
    It´s like you had changed the password manually. LAPS does not check the
    change of password. LAPS change checks the date, where itself set the
    password the last time.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    gp-pack PaT - Privacy and Telemetry on Windows 10
     
    Tuesday, February 07, 2017 11:04 AM
  • Hi,
     
    Am 06.02.2017 um 19:34 schrieb RENFEL:
    > I have deleted that GPO (not applied to OU)-
     
    If you deleted the GPO, there is no longer a system, that rights every
    90 minutes the password.
    Now, LAPS can handle it, BUT: Laps "thinks" it is working perfectly,
    because it wrote the password into attribute and did everything fine.
     
    You need to change the password date and set the date to an expired
    date, to let LAPS run again.
     
    It´s like you had changed the password manually. LAPS does not check the
    change of password. LAPS change checks the date, where itself set the
    password the last time.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    gp-pack PaT - Privacy and Telemetry on Windows 10
     
    Tuesday, February 07, 2017 11:37 AM
  • Hello Mark, Would you able to provide me your own steps?
    Tuesday, February 07, 2017 10:13 PM
  • Am 07.02.2017 um 23:13 schrieb RENFEL:
    > Hello Mark, Would you able to provide me your own steps?
     
    Use LAPS UI or LAPS Powershell commandlets to set date to yesterday
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Privacy and Telemetry on Windows 10 - gp-pack PaT
     
    Wednesday, February 08, 2017 7:40 AM
  • Hello Mark, would you able to email me at warden093@yahoo.com? please and thank you
    Thursday, February 09, 2017 9:44 PM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 13, 2017 2:31 AM
    Moderator
  • Hello Wendy, This issue has not been resolved. Maybe you have a solution. What i found out is... the built-in local administrator (which is currently disable) looks like it gets the password Because, when i enable the built-in local admin, it accepts that password.

    Please note: i specify the local admin account username in GPO.


    • Edited by RENFEL Monday, February 13, 2017 5:03 PM
    Monday, February 13, 2017 5:02 PM
  • > -Password on attribute shows but cannot login to the computer using that password. Set a different expiration but didn't help.
     
    "cannot login" is not a valid error description. What's the exact message you get if you try to?
     
    Remark: The builtin local admin by default is DISABLED, so you cannot login with this account during regular operations. The account is NOT disabled if you boot to safe mode.
     
    Tuesday, February 14, 2017 12:35 PM
  • Hello Martin,

    The Error message was "Username or Password is incorrect" to be specific.

    I typed it slowly to make sure typing it right. I copied and pasted it but <g class="gr_ gr_28 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="28" id="28">im</g> still getting the same error message. 

    The built-in local admin is not disabled by default. We disable that and that is part of our image.

    What puzzle me is, if <g class="gr_ gr_15 gr-alert gr_tiny gr_spell gr_run_anim ContextualSpelling multiReplace" data-gr-id="15" id="15">i</g> use the password in ADUC to our custom local admin, it does not allow me to <g class="gr_ gr_13 gr-alert gr_spell gr_run_anim ContextualSpelling" data-gr-id="13" id="13">login</g> and  that error message "Username or Password is incorrect" BUT.... if <g class="gr_ gr_16 gr-alert gr_tiny gr_spell gr_run_anim ContextualSpelling multiReplace" data-gr-id="16" id="16">i</g> enable the built-in local ADMIN and use the password in ADUC then it allows me to <g class="gr_ gr_14 gr-alert gr_spell gr_run_anim ContextualSpelling" data-gr-id="14" id="14">login</g>. In GPO under Computer Configuration-> Admin Templates -> LAPS -> name of administrator account to manage, i specify our custom local admin

    n



    • Edited by RENFEL Tuesday, February 14, 2017 3:47 PM
    Tuesday, February 14, 2017 3:46 PM
  • > What puzzle me is, if i use the password in ADUC to our custom local admin, it does not allow me to login and  that error message "Username or Password is incorrect" BUT.... if i enable the built-in local ADMIN and use the password in ADUC then it allows me to login.
     
    Ah, now I get the picture :-)
     
    In this case, I agree with Mark that there's either an old GPO that uses "Local Users and Groups" and still has the cpassword section within - or there's some other configuration mechanism. Grab a gpresult /h report.html and examine for a GPO that might be the culprit, then edit its XML.
     
    Tuesday, February 14, 2017 3:59 PM
  • How could <g class="gr_ gr_3 gr-alert gr_tiny gr_spell gr_run_anim ContextualSpelling multiReplace" data-gr-id="3" id="3" style="color:#000000;font-size:12px;border-bottom:2px solid transparent;background-repeat:no-repeat;background-position:-1px calc(100% + 3px);background-image:url("data;charset=utf8,%3csvg xmlns='http://www.w3.org/2000/svg' width='100%' height='100%'%3E%3Cline x1='4' y1='100%' x2='100%' y2='100%' transform='translate(-1.5, -2.5)' stroke-width='3' stroke-linecap='round' stroke='%23f3a8a3'/%3E%3C/svg%3E");background-size:calc(100% + 1px) 100%;animation:gr__appear_critical 0.4s ease forwards;padding:0px 0.35em;margin:0px -0.35em;">i</g> check the CPassword if the GPO had been deleted?
    Tuesday, February 14, 2017 5:00 PM
  • Am 14.02.2017 um 18:00 schrieb RENFEL:
    > How could  i check the CPassword if the GPO had
    > been deleted?
     
    There is another one. A deleted GPO will never deploy settings, because
    it is still alive in some kind of a shadow system. It´s deleted. It´s gone.
     
    Check all sysvols on all DCs, search for cpassword in xml.
    I provided already Links or simply us "find" in CLI.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Privacy and Telemetry on Windows 10 - gp-pack PaT
     
    Thursday, February 16, 2017 8:09 AM