none
LAPS Implementation Issue RRS feed

  • Question

  • Good day, 

    For almost 2 weeks I've been trying to implement LAPS in my company's small infrastructure. 
    I've gone through the steps in the following tutorial:

    https://blog.thesysadmins.co.uk/deploying-microsoft-laps-part-1.html
    https://blog.thesysadmins.co.uk/deploying-microsoft-laps-part-2.html

    I'm using 2 computers for testing purposes, one is a virtual machine running Windows 10 and the other a laptop running Windows 7. Here's what I've done so far:

    - I extended the computer objects' schema to include the fields needed by LAPS; I then inspected the computer objects corresponding to my 2 tests subjects and verified that these attributed were indeed created.

    - I delegated the necessary permissions to the computers through the Set-AdmPwdComputerSelfPermission cmdlet; I then checked the 2 computers' ACE list and verified that write permissions for AdmPwd and write/read permissions for AdmPwdExpirationTime were granted to the SELF trustee. 

    - I delegated the permissions to read and reset passwords to the domain admins through the Set-AdmPwdReadPasswordPermission and Set-AdmPwdResetPasswordPermission cmdlets; I then verified these permissions through the 2 computers' permission entry lists. (I think this step is unnecessary since domain admins should have these permissions by default)

    - I deployed LAPS.msi through GPO and verified that "Local Administrator Password Solution" was present in the 2 computer's Apps and Features list. I also verified that AdmPwd.dll was in the Program Files folder for both computers. 

    LAPS doesn't seem to work, however. I, as domain administrator, get an empty field whenever I query a computer's password through the UI or through Powershell, and the password's attribute field in the computer objects remain empty. I've read many related posts here in this forum but have not been able to solve this issue.

    The DC is running Windows Server 2012 R2 and the domain functional level is 2012 R2.

    Do you have any idea on what could be going wrong?

    Regards

    Tuesday, June 25, 2019 9:44 PM

All replies

  • Is the local administrator account enabled?
    Tuesday, June 25, 2019 9:52 PM
  • Hello,
    Thank you for posting in our TechNet forum.

    Do we have any error during our deployment?

    According to our description, usually, we try to deploy LAPS according to the following steps:
    1. Install LAPS.msi on one domain controller.

    2. Install LAPS to all the clients via GPO and check if we install LAPS on clients..
    Computer Configuration->Policies->Software Settings->Right click Software Installation and click New->Package

    3. Import module AdmPwd.PS and update AdmPwdADSchema on DC.
    Import-module AdmPwd.PS
    Update-AdmPwdADSchema
    We need to run these commands while logged in to the network as a schema admin.

    4. Adding Machine Rights
    We need to delegate to right to allow the computer object to write to the ms-MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.

    F
    or example, the OU is called Computers.

    Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,DC=domain,DC=com"

    5. Check ExtendedRights permissions on OU
    To get information on the groups and users able to read the password (ms-MCS-AdmPwd) for a specific Organizational Unit (OU), run the following command.

    Find-AdmPwdExtendedRights -identity "OU=Computers,DC=domain,DC=com" | Format-Table ExtendedRightHolders

    6. Delegate a Security group the rights to view and reset LAPS

    Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Computers,DC=domain,DC=com"-AllowedPrincipals <users or groups>

    Set-AdmPwdResetPasswordPermission -OrgUnit "OU=Computers,DC=domain,DC=com"-AllowedPrincipals <users or groups>

    7. If we retrieve ADMX from central store, we copy admPwd.adml and admPwd.admx to the following location:

    Copy admPwd.adml to  C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US
    Copy admPwd.admx to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions


    If we use retrieve ADMX from local computer,we copy admPwd.adml and admPwd.admx to the following location:
    Copy admPwd.adml to C:\Windows\PolicyDefinitions\en-US
    Copy admPwd.admx to C:\Windows\PolicyDefinitions


    8. Configure GPO for LAPS.

    9. Restart the clients to make the GPO take effect.

    After the above steps, check whether we can view the local administrator password with PowerShell command or computer Properties or LAPS app.

    1. View the local administrator password on Computer Properties:

    Logon DC with domain Administrator account.
    Open Active Directory Users and Computers, find the client, and open the computer Properties,
    Find mc-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime.

    2. Or view the local administrator password by running get-admpwdpassword ComputerName
    3. View the local administrator password by LAPS app.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 26, 2019 5:39 AM
    Moderator
  • You need to create a GPO and use the Admpwd administrative template to configure the LAPS and link to the OU. Run GPupdate and it should change the password.

    What Daisy provided is a comprehensive steps to perform this.

    Thursday, June 27, 2019 2:20 PM
  • Hello all, 

    Thank you for your answers. I did create the GPO with the LAPS settings and linked it to the relevant OU. I verified this with Group Policy Results.  Sorry I forgot to include this information in the original post.

    The local administrator is enabled in the machines, and I am able to log in using this account. 

    I went through Daisy's steps, re-applied the powershell cmdlets, and verified permissions through ACE's and such. Unfortunately, LAPS is still not working; whether I query for passwords using the UI, Powershell or by exploring the attributes editor in the computer objects, I'll get an empty password field.

    This is a bit flabbergasting to me. I've read many tutorials trying to pinpoint any key step that I may have missed, but no luck so far. 

    Thursday, June 27, 2019 5:12 PM
  • Hi,
    Can we see ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime on Attribute Editor tab in computer Properties, but with Value <not set>?




    If so, I think it may be password policy cause the problem. In my test environment, I can reproduce our issue when the password policy in LAPS is less complex than the local default password policy in clients.

    Because the local default password policy is displayed as below:




    And we need to set password policy in LAPS as below:

    Password length : at least 8 characters
    Password complexity: Large letters + small letters + numbers + special characters




    Then run gpupdate /force on Domain Controller and clients.

    After above I can view the password through the UI or through Powershell, and the password's attribute.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 28, 2019 2:53 PM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 1, 2019 5:11 AM
    Moderator
  • Hello Daisy, 

    Sorry for the late response. 

    What you say is correct, I can see ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime on Attribute Editor tab in computer Properties. There's a value in the latter, but ms-Mcs-AdmPwd shows <not set>. I would post the screenshots, but unfortunately I'm not a verified user yet. 

    From what I've read about LAPS, the bulk of the work is performed by the client computers where they check the passwords' expiration date in the active directory and update accordingly. Besides checking that LAPS is in the applications list and the dll file is present in program files, is there something else I should be checking to make sure LAPS is installed? 

    That's one interesting observation you make regarding the two password policies. Tomorrow I'll compare the two and get back to you. 

    Tuesday, July 2, 2019 2:54 AM
  • Hi,
    Thank you for your update. I am looking forward to your reply.

    And here is a similar case-LAPS Not showing password, he/she resolved the same issue as you with my resolution, that is change password policy in LAPS as below:

    Password length : at least 8 characters
    Password complexity: Large letters + small letters + numbers + special characters


    Thank you for your time.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 2, 2019 9:11 AM
    Moderator
  • Hello Daisy, 

    The password policies don't seem to be the problem either. I checked both of them and the local default password policy is less complex than the LAPS password policy (at both length and complexity requirements). I even went ahead and further reduced the complexity of the local password policy but nothing changed. 

    I feel as if it is not something related to GPO, LAPS deployment or permissions, but something in the computers blocking LAPS from working properly, I just can't pinpoint what it is. 

    Thursday, July 4, 2019 12:07 AM
  • Hi,
    Can we see 
    ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime on Attribute Editor tab in computer Properties, but with Value <not set>?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 4, 2019 2:33 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 8, 2019 10:09 AM
    Moderator
  • Hello Daisy, 

    Yes, I can see both ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime on Attribute Editor tab in computer Properties.

    ms-Mcs-AdmPwdExpirationTime has a value in it. The value in this field is 25 June 2019 for the 2 computers (I set this value for testing purposes).

    ms-Mcs-AdmPwd shows <not set> in the two computer objects. 

    Unfortunately, I must stop attempting to implement LAPS for the time being; other tasks take priority. If I manage to make it work, I'll update this thread.

    Thank you for your help, Daisy!

    Monday, July 8, 2019 8:26 PM
  • Hi,
    You are welcome! I am looking forward to your update.

    Have a nice day!




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 9, 2019 8:24 AM
    Moderator