LAPS for disabled builtin administrator account

Question

1. one of the entities implemented LAPS to set pwd on the built-in administrator account. the client workstations are with a custom admin accounts & administrator is disabled (unable to enable through GPO as it gives an error of pwd complexity). What are the possibilities?
2. LAPS configured correctly, agents are being installed on clients through GPOs all the permissions of read and reset configured properly but still a privileged user cannot set a pwd. Not showing in neither LAPS nor in AD computer attributes.

Answer 1

1. I think it is a good practise to keep the build in admin account disabled. You should create custom account with Group Policy Preferences and add its name to LAPS policies to manage that account.
2. It sounds like you are missing rights, or you didn't delegate enough rights to read additional attributes in AD.

This is a good guide how to implement this solution: https://4sysops.com/archives/how-to-install-and-configure-microsoft-laps/

Answer 2

Thanks for the reply,

1. Atcually there is Group Policy to remove all the members of local admin group so that need to set LAPS on administrator account.
2. we have implemented as per document step-by-step, correct delegation is there.
   Used high priviliged users but still unable to set/read password.

ObjectDN ExtendedRightHolders
-------- --------------------
OU=xxxx-puters,OU=Devices,DC=xxxx,D... {NT AUTHORITY\SYSTEM, xxxxx\Domain Admins, xxxx\LAPS Control

ComputerName DistinguishedName Password ExpirationTimestamp

------------
----------------- -------- -------------------
PTEST-WIN1 CN=PTEST-WIN1,OU=xxxx-puters,OU=... 10/22/2022 11:50:...

Answer 3

Hi. Thank you for your question and reaching out.

The local administrator password will be updated in the following order once LAPS are in place by Group Policy client-side extension (CSE) software that is installed on each computer.

1. For the local administrator account, create a new password.
2. Utilize the password policy settings to verify the new password.
3. Save your password under the ms-Mcs-AdmPwd attribute of an Active Directory computer object. As part of installing LAPS, this attribute is added to the schema.
4. Save the password's upcoming expiration date under the ms-Mcs-AdmPwdExpirationTime attribute. As part of the LAPS installation procedure, this attribute was also added to the schema.
5. The administrator password should be changed.

REFERENCE: https://techcommunity.microsoft.com/t5/itops-talk-blog/local/ba-p/2806185

----------------------------------------------------------------------------------------------------------------------------------------------------------

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Answer 4

Thanks for the details.

But I still can't see the password in ms-Mcs-AdmPwd attribute of an Active Directory computer object.
I tried different computers, agent re-installation, and used high privilege account to use the LAPS for pwd reset but no success.

Is there any way to see the logs?

Answer 5

Yes, that article should have the solution how to extend client logs with registery key.

https://4sysops.com/archives/part-2-faqs-for-microsoft-local-administrator-password-solution-laps/

Is there a log on the client I can use to audit password changes or troubleshoot LAPS?
By default, no. In its default configuration, LAPS only logs errors. Errors (and other events if you bump up the logging level) are logged to the Application Event Log by the AdmPwd Source.
You can enable additional logging by creating a new REG_DWORD value named ExtensionDebugLevel in the Registry in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions{D76B9641-3288-4f75-942D-087DE603E3EA}\ . Set it to 0 (the default) to log errors only, 1 to log errors and warnings, and 2 for verbose logging.

I think you have some issues with delegating permissions to attributes. Try to verify them with powershell.