none
LAPS Not showing password RRS feed

  • Question

  • hi everyone ,

    i tried to installed LAPS but its not showing the password , my steps :

    1- install LAPS on my DC

    2-all my PCs in one OU " computers" so i gave computer to read password.

    A- set-admpwdcomputerselfpermission -orgunit 'CN=Computers,DC=DOMAIN,DC=COM'

    B- find-admPwdExtendedRights -identity "CN=Computers,DC=DOMAIN,DC=COM" | Format-List -Property *



    C- Set-AdmPwdReadPasswordPermission -orgunit 'CN=Computers,DC=DOMAIN,DC=COM'–AllowedPrincipals "IT Remote Desktop Servers"

    3- created group policy

    4- deploy LAPS for all PC

    but when i run LAPS on DC to see the password it empty , did i missed something ? tried to run as administrator , tried from other admin account , how can i see logs ? is there any other software easier to use ?

    one more thing ,,, Password is not changing on user PC.

    please find attached Image from user register y


    Osma





    • Edited by Osama123 Monday, June 24, 2019 6:57 PM
    Monday, June 24, 2019 11:21 AM

Answers

  • Hi,
    Can we see ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime on Attribute Editor tab in computer Properties, but with Value <not set>?


    If so, I think it may be password policy cause the problem. In my test environment, I can reproduce our issue when the password policy in LAPS is less complex than the local default password policy in clients.
    Because the local default password policy is displayed as below:

    And we need to set password policy in LAPS as below:
    Password length : at least 8 characters
    Password complexity: Large letters + small letters + numbers + special characters

    Then run gpupdate /force on Domain Controller and clients.
    After above, I can view the password through the UI or through Powershell, and the password's attribute.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Osama123 Sunday, June 30, 2019 6:54 AM
    Friday, June 28, 2019 2:57 PM
    Moderator

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, usually, we try to deploy LAPS according to the following steps:


    1. Install LAPS.msi on one domain controller.

    2. Install LAPS to all the clients via GPO.
    Computer Configuration->Policies->Software Settings->Right click Software Installation and click New->Package.

    3. Import module AdmPwd.PS and update AdmPwdADSchema
    Import-module AdmPwd.PS
    Update-AdmPwdADSchema
    We need to run these commands while logged in to the network as a schema admin.

    4. Adding Machine Rights
    We need to delegate to right to allow the computer object to write to the ms-MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.
    Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,DC=domain,DC=com"

    5. Check ExtendedRights permissions on OU
    To get information on the groups and users able to read the password (ms-MCS-AdmPwd) for a specific Organizational Unit (OU), run the following.
    Find-AdmPwdExtendedRights -identity "OU=Computers,DC=domain,DC=com" | Format-Table ExtendedRightHolders

    6. Delegate a Security group the rights to view and reset LAPS
    Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Computers,DC=domain,DC=com"-AllowedPrincipals <users or groups>
    Set-AdmPwdResetPasswordPermission -OrgUnit "OU=Computers,DC=domain,DC=com"-AllowedPrincipals <users or groups>



    7. If we retrieve ADMX from central store, we copy admPwd.adml and admPwd.admx to the following location:

    Copy admPwd.adml to  C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US
    Copy admPwd.admx to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions


    If we use retrieve ADMX from local computer,
    we copy admPwd.adml and admPwd.admx to the following location:

    Copy admPwd.adml to C:\Windows\PolicyDefinitions\en-US
    Copy admPwd.admx to C:\Windows\PolicyDefinitions




    8. Configure GPO for LAPS.


    After the above steps, check whether we can view the local administrator password with PowerShell command or computer Properties or LAPS app.

    1. View the local administrator password on Computer Properties:
    L
    ogon DC with domain Administrator account.
    Open Active Directory Users and Computers, find the client, and open the computer Properties,
    Find mc-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime.

    2. Or view the local administrator password by running get-admpwdpassword ComputerName




    3. View the local administrator password by LAPS app.



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 25, 2019 4:08 AM
    Moderator
  • thank you for your reply , i already did all previous steps but still cann't see the password.

    and also the password is not change on the users PC , am afriad there is other policy conflict wiht this one , how we can troubleshoot ?


    Osma Othman

    Tuesday, June 25, 2019 6:39 AM
  • Hi,
    We can try to re-deploy according to the steps I mentioned.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 26, 2019 5:24 AM
    Moderator
  • still not working , i tried ot set password from attribute editor , and when i start the LAPS UI i can see the new password , but it does't work , it like it not effect the pc it self

    Osma Othman

    Wednesday, June 26, 2019 9:35 AM
  • How did you deployed the client side policy extension?

    Is the dll present on all the pc in "c:\Program Files\LAPS\CSE\AdmPwd.dll"?

    Without that the policy cannot be executed and the password cannot be created..

    Did you by any chance disabled all the Administrator local account? If yes, you need to re-enable them before the whole process could work..

    HTH

    -mario

    Wednesday, June 26, 2019 11:38 AM
  • it drive me crazy !!!

    i found AdmPwd in c drive , and administrator account is enabled since we are using it !!


    Osma Othman

    Thursday, June 27, 2019 7:48 AM
  • Hi,
    Check if we have performed all deployment operations.
    Whether an error occurred while running the commands.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 27, 2019 10:25 AM
    Moderator
  • no error @ all

    PS C:\Windows\system32> find-admPwdExtendedRights -identity "CN=Computers,DC=,DC=COM" | Format-List -Property *


    ObjectDN             : CN=Computers,DC=ASFDC,DC=COM
    ExtendedRightHolders : {NT AUTHORITY\SYSTEM, BUILTIN\Administrators, \Domain Admins, ASFDC\Enterprise Admins...}

    its more like the laps app does not connect to the user pc


    Osma Othman

    Thursday, June 27, 2019 12:09 PM
  • Where did you connected the LAPS policy??

    I mean, Computers it is not an OU.. You cannot connect a policy to that object..

    Try creating a new OU and call it TestPc.. Connect the LAPS policy to that OU and put inside that OU a couple of PCs whee the LAPS binary are already deployed..

    Then run GPUPDATE /force on those PCs and see what happen..

    HTH

    -mario

    Thursday, June 27, 2019 1:37 PM
  • Hi,
    Can we see ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime on Attribute Editor tab in computer Properties, but with Value <not set>?


    If so, I think it may be password policy cause the problem. In my test environment, I can reproduce our issue when the password policy in LAPS is less complex than the local default password policy in clients.
    Because the local default password policy is displayed as below:

    And we need to set password policy in LAPS as below:
    Password length : at least 8 characters
    Password complexity: Large letters + small letters + numbers + special characters

    Then run gpupdate /force on Domain Controller and clients.
    After above, I can view the password through the UI or through Powershell, and the password's attribute.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Osama123 Sunday, June 30, 2019 6:54 AM
    Friday, June 28, 2019 2:57 PM
    Moderator
  • wooooooooooow ,, its work !!!

    thank you Boss :) .


    Osma Othman

    Sunday, June 30, 2019 6:54 AM
  • Hello Guys,

    I can see the password from Attribute Editor and the Power-Shell but cannot see it form LAPS UI.

    Any suggestions!!


    Ahmad Sayed System Engineer

    Wednesday, October 16, 2019 6:12 AM
  • Hello Guys,

    I can see the password from Attribute Editor and the Power-Shell but cannot see it form LAPS UI.

    Any suggestions!!


    Ahmad Sayed System Engineer

    I solved the issue by running LAPS UI as administrator :)


    Ahmad Sayed System Engineer

    Wednesday, October 16, 2019 6:27 AM