This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 15%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi Everyone,
i tried to installed LAPS but its not showing the password, but i am able to see and send and view password expiry
my steps :
PS C:\Windows\system32> Import-module AdmPwd.PS
PS C:\Windows\system32> Update-AdmPwdADSchema
Operation DistinguishedName Status
AddSchemaAttribute cn=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=Configuration,DC=o... EntryAlreadyExists
AddSchemaAttribute cn=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,DC=Domain... EntryAlreadyExists
ModifySchemaClass cn=computer,CN=Schema,CN=Configuration,DC=Domain,DC=c... AttributeOrValueExists
PS C:\Windows\system32> Set-AdmPwdComputerSelfPermission -OrgUnit 'Domain Computers'
Name DistinguishedName Status
Domain Computers OU=Domain Computers,DC=Domain,DC=co,DC=uk Delegated
PS C:\Windows\system32> Set-AdmPwdReadPasswordPermission -OrgUnit 'domain computers' -AllowedPrincipals 'LAPS Admins'
Name DistinguishedName Status
Domain Computers OU=Domain Computers,DC=Domain,DC=co,DC=uk Delegated
PS C:\Windows\system32> Set-AdmPwdResetPasswordPermission -OrgUnit 'domain computers' -AllowedPrincipals 'LAPS Admins'
Name DistinguishedName Status
Domain Computers OU=Domain Computers,DC=Domain,DC=co,DC=uk Delegated
PS C:\Windows\system32> Get-AdmPwdPassword Computer Name
ComputerName DistinguishedName Password ExpirationTimestamp
Computer Name CN=Computer Name,OU=Domain Computers,DC=Domain... 29/07/2020 18:22:24Thanks
Mo
Hi Hannah,
I have also tried the power shell as administrator and got the below results
PS C:\Windows\system32> Get-AdmPwdPassword Computer Name
ComputerName DistinguishedName Password ExpirationTimestamp
Computer Name CN=Computer Name,OU=Domain Computers,DC=domain... 29/07/2020 18:22:24
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
Thank you so much for your feedback.
Usually, we try to deploy LAPS according to the following steps:
1.Install LAPS.msi on one domain controller.
2.Install LAPS to all the clients via GPO and check if we install LAPS on clients..
Computer Configuration->Policies->Software Settings->Right click Software Installation and click New->Package
3.Import module AdmPwd.PS and update AdmPwdADSchema on DC.
Import-module AdmPwd.PS
Update-AdmPwdADSchema
We need to run these commands while logged in to the network as a schema admin.
4.Adding Machine Rights
We need to delegate to right to allow the computer object to write to the ms-MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.
For example, the OU is called Computers.
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Computers,DC=domain,DC=com"
5.Check ExtendedRights permissions on OU
To get information on the groups and users able to read the password (ms-MCS-AdmPwd) for a specific Organizational Unit (OU), run the following command.
Find-AdmPwdExtendedRights -identity "OU=Computers,DC=domain,DC=com" | Format-Table ExtendedRightHolders
6.Delegate a Security group the rights to view and reset LAPS
Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Computers,DC=domain,DC=com"-AllowedPrincipals <users or groups>
Set-AdmPwdResetPasswordPermission -OrgUnit "OU=Computers,DC=domain,DC=com"-AllowedPrincipals <users or groups>
7.Configure GPO for LAPS.
8.Restart the clients to make the GPO take effect.
After the above steps, check whether we can view the local administrator password with PowerShell command or computer Properties or LAPS app.
1.View the local administrator password on Computer Properties:
2.Or view the local administrator password by running get-admpwdpassword ComputerName
3.View the local administrator password by LAPS app.
We could kindly have a recheck of the deployment. It is also suggested that we could run gpresult /h to check the group policy result report to see whether the specific settings get applied or not.
Best regards,
Hannah Xiong
Hello,
Hope our issue could be resolved soon. For any update, please let us know. If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
Thank you so much for your understanding and support.
Best Regards,
Hannah Xiong
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 10%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
We had this but it turned out for us you needed to run LAPS GUI as Admin, or PowerShell as Admin then the passwords displayed. Otherwise blank. Hope this helps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 42%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello,
i have the exact same Issue the Password is not set yet. Everything is configured.
Ive tryed everything to make it work.
My Laps UI started as Administrator is attached Showing no Password and wrong Expire Time. The Default is set to 5 Days.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EY%3C/text%3E%3C/svg%3E)
What eventually solve this for me was to repair the installation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 11%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EY%3C/text%3E%3C/svg%3E)
In case you are still waiting for the right answer pertaining to the ms-Mcs-AdmPwd still says <Not Set> or it shows empty in the password field of the LAPS fat client.
Why it was empty is because your built-in .\Administrator account were still disabled by default.
Go and enable it then do a gpupdate again and reboot the workstation. Hope that works for ya ~ cheers
