locked
Problem with LAPS GPO options not showing up RRS feed

  • Question

  • I'm working on implementing the Local Administrator Password Solution into Windows Server 2019 domain controller. I have it mostly configured but when I open up my GPO management tool the LAPS folder under Comp->Administrator Temps-> (this is where the LAPS folder should be) doesn't show up.  When I look on the computer folder I see the files where they are supposed to be.

    Technet Discussion: Some may be fix the issue by coping the AdmPwd.admx from %windir%\PolicyDefinitions\ to \\domain\SYSVOL\domain\Policies\PolicyDefinitions, and the AdmPwd.admx from %windir%\PolicyDefinitions\en-US to \\domain\SYSVOL\domain\Policies\PolicyDefinitions\en-US

    I am facing permission denied to apply above solution of Technet discussion.

    If anyone facing same challenges, it might be helpful to share the knowledge.




    Thursday, June 4, 2020 7:54 AM

Answers

  • Hello,
    Thank for posting in our posting.

    If we retrieve the ADMX and ADML from the local computer as below.


    We should copy the AdmPwd.admx to the location C:\Windows\PolicyDefinitions and AdmPwd.adml file C:\Windows\PolicyDefinitions\en-US.


    If we retrieve the ADMX and ADML from the central store as below.


    We should copy the AdmPwd.admx to C:\Windows\SYSVOL\sysvol\a.local\Policies\PolicyDefinitions and AdmPwd.adml file C:\Windows\SYSVOL\sysvol\a.local\Policies\PolicyDefinitions\en-US.

    Tip: We can open the path C:\Windows\SYSVOL\sysvol\a.local\Policies\PolicyDefinitions instead of  the path \\domain\SYSVOL\domain\Policies\PolicyDefinitions even though they are the same location, and copy the ADMX file to the location (the same way as the ADML file), after that we will see the ADMX and ADML in the location location \\domain\SYSVOL\domain\Policies\PolicyDefinitions or C:\Windows\SYSVOL\sysvol\a.local\Policies\PolicyDefinitions.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 4, 2020 10:24 AM

All replies

  • Hello,
    Thank for posting in our posting.

    If we retrieve the ADMX and ADML from the local computer as below.


    We should copy the AdmPwd.admx to the location C:\Windows\PolicyDefinitions and AdmPwd.adml file C:\Windows\PolicyDefinitions\en-US.


    If we retrieve the ADMX and ADML from the central store as below.


    We should copy the AdmPwd.admx to C:\Windows\SYSVOL\sysvol\a.local\Policies\PolicyDefinitions and AdmPwd.adml file C:\Windows\SYSVOL\sysvol\a.local\Policies\PolicyDefinitions\en-US.

    Tip: We can open the path C:\Windows\SYSVOL\sysvol\a.local\Policies\PolicyDefinitions instead of  the path \\domain\SYSVOL\domain\Policies\PolicyDefinitions even though they are the same location, and copy the ADMX file to the location (the same way as the ADML file), after that we will see the ADMX and ADML in the location location \\domain\SYSVOL\domain\Policies\PolicyDefinitions or C:\Windows\SYSVOL\sysvol\a.local\Policies\PolicyDefinitions.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 4, 2020 10:24 AM
  • Hello Daisy,

    Thanks for your answer with tips which is useful.

    Now LAPS GPO is showing into GPMC but when we try to show local admin password, its return empty. Can you please help me on this?

    We have deployed LAPS according to the following steps:


    1. Install LAPS.msi on one domain controller.

    2. Install LAPS to all the clients via GPO.
    Computer Configuration->Policies->Software Settings->Right click Software Installation and click New->Package.

    3. Import module AdmPwd.PS and update AdmPwdADSchema
    Import-module AdmPwd.PS
    Update-AdmPwdADSchema
    We need to run these commands while logged in to the network as a schema admin.

    4. Adding Machine Rights
    We need to delegate to right to allow the computer object to write to the ms-MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.
    Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,DC=domain,DC=com"

    5. Check ExtendedRights permissions on OU
    To get information on the groups and users able to read the password (ms-MCS-AdmPwd) for a specific Organizational Unit (OU), run the following.
    Find-AdmPwdExtendedRights -identity "OU=Computers,DC=domain,DC=com" | Format-Table ExtendedRightHolders

    6. Delegate a Security group the rights to view and reset LAPS
    Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Computers,DC=domain,DC=com"-AllowedPrincipals <users or groups>
    Set-AdmPwdResetPasswordPermission -OrgUnit "OU=Computers,DC=domain,DC=com"-AllowedPrincipals <users or groups>



    7. If we retrieve ADMX from central store, we copy admPwd.adml and admPwd.admx to the following location:

    Copy admPwd.adml to  C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US
    Copy admPwd.admx to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions


    If we use retrieve ADMX from local computer,
    we copy admPwd.adml and admPwd.admx to the following location:

    Copy admPwd.adml to C:\Windows\PolicyDefinitions\en-US
    Copy admPwd.admx to C:\Windows\PolicyDefinitions




    8. Configure GPO for LAPS.

    After the above steps, check whether we can view the local administrator password with PowerShell command or computer Properties or LAPS app.

    Regards,

    Amran


    Sunday, June 7, 2020 1:35 PM
  • Hello,
    Thank you for your update.

    1.Do you recreate an OU and put the machines in this OU? Because we have a built-in container named "Computers", we can not create an OU with the same name "Computers".

    We should create a new container (such as LAPS or any other name) and put the clinets we want to this container, then perform the steps above with new container name.

    For example:
    Set-AdmPwdComputerSelfPermission -OrgUnit "OU=LAPS,DC=domain,DC=com"



    2.We should set the the Password Complexity: 

    Large letters + small letters + numbers 
    Or
    Large letters + small letters + numbers + special characters

    Passowrd Length: 8 or more


    3.If it dese not work, we can check if the the GPO has been applied through running gpresult /h C:\LAPS.html on one client machine. Check if we can see the two group policy settings in LAPS.html file.

    For example:


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 8, 2020 3:08 AM
  • Hello Daisy,

    Thanks for your reply.

    We have created new OU which named Test except using the Computer container. We already set Password Complexity form Password settings.

    Still it shows empty password.

    We have created new local admin from client computer and set this local admin to manage from GPO. So, there are two local admin account. One is built-in and another is customized. is there any conflict??

    Regards,

    Amran

    Monday, June 8, 2020 4:32 AM
  • Hi,
    Check if you delegate the built-in Administrator and another customized account for OU-Test (right click the OU (Test) and check if the two accounts we mentioned have read and write ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime permissions).

    Or can we see the two Properties on computer properties with  built-in Administrator and another customized account we mentioned ?



    I think we should create a group (such as lapsgroup) in the ADUC and add user accounts to this lapsgroup group and delegate permissions on the OU-Test with the commands above.

    Then logon the DC with user account in the lapsgroup above to view the LAPS password.

    We can downlowd and refer to the document in the folloing link.
    Local Administrator Password Solution (LAPS)
    https://www.microsoft.com/en-us/download/details.aspx?id=46899


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 8, 2020 6:52 AM
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 
    Again thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 11, 2020 6:45 AM
  • Hello Daisy,

    Thanks for your reply.

    I have created a group in the ADUC and add user accounts to this group and delegate permissions on the OU-Test with the commands above.

    Still it shows empty password.

    I have opened AdmPwd GUI tool by using elevated privilege but facing same issue.

    Regards,

    Amran


    Sunday, June 14, 2020 4:00 AM
  • Hi,
    Can you see the two Properties on computer properties with  built-in Administrator and another customized account we mentioned ?

    Which account do you logon DC? Is the account in the OU-Test?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 15, 2020 7:55 AM
  • Hello Daisy,

    I can see the two Properties on computer properties with  built-in Administrator and another customized account.

    For logon DC, we are using custom Admin Account which is the member of below groups,

    Domain Admin

    Schema Admin

    Enterprise Admin

    Organization Management

    The logon DC admin account is not exist in the Test-OU.

    As the Pandemic situation goes on, All Domain joined member computer is connected with VPN to communicate with Domain Controller which is located office network.

    I have checked that the GPO has been applied or not through running gpresult /h C:\LAPS.html on one client machine. But it don't return computer configuration settings in the HTML file. 

    Can you please tell me that LAPS will work smothly if

    1. Domain Joined Computer is connected with VPN?

    2. What happens in the event that the computer is NOT connected to our VPN when the password expiry time is up?

    Advance thanks for your nice co-operation.

    Regards,

    Amran




    • Edited by Al Amran Monday, June 15, 2020 11:02 AM
    Monday, June 15, 2020 9:12 AM
  • Hi,
    Based on "I can see the two Properties on computer properties with built-in Administrator and another customized account.", so we delegate built-in Administrator and another customized accountthe rights to view and reset LAPS, is that right? If so, we should logon DC with built-in Administrator or another customized account, then view the LAPS for specific machine.


    1. Domain Joined Computer is connected with VPN?
    >>A1:
    If the machines connected with VPN are connected to domain network, we can restart the machine and check the group policy settings in gpresult /h, if there are these group policy settings under Computer Details, the GPO should be applied. We can check as below:

    Logon on client with administrator account.
    Open CMD (run as Administrator).
    Type gpresult /h C:\LAPS.html and click Enter.
    Check the group policy settings under Computer Details.


    2. What happens in the event that the computer is NOT connected to our VPN when the password expiry time is up?
    >>A2: We can use the old password the system last set to logon.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 16, 2020 8:14 AM
  • Hello Daisy,

    Thanks for your reply.

    i will update you later after testing Domain Joined Computer is connected with VPN.

    Regards,

    Amran

    Wednesday, June 17, 2020 5:30 AM
  • Hi,
    Thank you for your update and marking my reply as answer.

    If you have any questions or concerns, please feel free to let us know.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 17, 2020 10:25 AM
  • Hello Daisy,

    I am pleased to discuss with you about my issue.

    We have exported computer settings GPO by following your procedure. Shared Screenshot is for your better understanding.

    Still i do not show local admin password from Power shell and AdmPwd GUI with elevated privilege.

    We have tested two different windows 10 computer which is connected VPN to connect Domain controller.

    So, i am confused that LAPS will functional or not into VPN connected computer.

    It will be more helpful if you give your feedback on this.

    Regard,

    Amran

    Sunday, June 21, 2020 5:04 AM
  • Hi,

    I can see you configured the setting "Name of Administrator account to manage". So you do not use built-in local Administrator account on those domain clients, is that right?



    Can you get local admin password from Power shell and AdmPwd GUI with elevated privilege on domain clients in the domain network instead of VPN?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 10, 2020 1:07 AM
  • Hello Daisy

    Thanks for your reply.

    We are getting local admin password from Powershell and AdmGUI with elevated privilege on domain clients in the Domain Network instead and VPN also.

    Now LAPS is working as expected in our production environment.

    Regards,

    Amran

    Tuesday, July 28, 2020 4:16 AM