none
LAPS - GPO

    Question

  • Hello ! 

    I have deployed LAPS on a couple of test machines in our PROD env. 

    1 of them works fine - the GPO got applied , admin pwd got generated - i can login using that pwd too. 

    However , our 2nd test machine - ive been trying to troubleshoot since cpl days now. The GPO got applied - both software deployment and LAPS configuration - i can see in gpreport there is no error. On the Domain Controller , get-admpwd gives me the password fine, in the computer's properties i can see the password in the 'ms-Mcs-AdmPwd' attribute. 
    However - iam not able to login using that password. And now it doesnt even look like that the original  admin password is working. 

    Checked eventwvr for any admpwd errors in Application log , but fail to see any. 

    Any suggestions would be appreciated , thanks !

    Monday, May 9, 2016 3:34 PM

Answers

All replies

  • Am 09.05.2016 um 17:34 schrieb vdhiman63:
    > [...] iam not able to login using that password. And now it doesnt
    > even look like that the original  admin password is working.
     
    - reset PWD manually
    - join Workgroup
    - join Domain again
    ...
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, May 9, 2016 4:10 PM
  • Thanks ! will definitely try this as a last resort. Any idea right now why the generated LAPS password doesnt work ? Does it just take some time between AD and machine for the password to work?

    We dont want to deploy on all our prod machines if testing shows some inconsistencies .

    Monday, May 9, 2016 4:19 PM
  • Hi,
     
    Am 09.05.2016 um 18:19 schrieb vdhiman63:
    > Thanks ! will definitely try this as a last resort. Any idea right now
    > why the generated LAPS password doesnt work ?
     
    No, I never had that, if it is reported to AD, it works directly.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, May 9, 2016 4:35 PM
  • Sounds all fine here.

    How about enabling some logging and see.

    If you run into any problems with the LAPS CSE, events are logged to the local computer’s Application log, and the level of information can be tuned on the local device by configuring the ExtensionDebugLevel registry value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}}\.

    0 is the default value and logs errors only

    for more on TS, refer LAPS_operationGuide from Microsoft.


    Devaraj G | Technical solution architect

    Monday, May 9, 2016 5:32 PM
  • Thanks Devaraj, 

    i enabled the logging to 0 but again nothing came up. 

    apparently when i did 'Reset-AdmPwdPassword' command for that computer , the new password it generated worked. 

    this happened with  the 1 st system as well , but there i thought maybe i was reading the password wrong so reset helped. 

    iam not sure why its happening, but if iam applying both the GPOs - deployment as well as configuration at the same time will it be a problem ? This is because we dont plan to mass apply the GPO - we will move few systems at a time in that OU on which the GPOs are already set.
    Monday, May 9, 2016 8:22 PM
  • Hi,

    Please check if you have set the correct permission for the attribute ms-Mcs-AdmPwd. See the below articles:

    LAPS and password storage in clear text in AD

    https://blogs.msdn.microsoft.com/laps/2015/06/01/laps-and-password-storage-in-clear-text-in-ad/

    Security Thoughts: Microsoft Local Administrator Password Solution (LAPS, KB3062591)

    https://dirteam.com/sander/2015/05/02/security-thoughts-microsoft-local-administrator-password-solution-laps-kb3062591/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 11, 2016 8:18 AM
    Moderator