This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 21%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
we have noticed that the servers in one of our OUs is not updating the local administrator password. All is working fine and as expected in all the other OUs. local administrator passwords on computers are being updated and the AD attributes ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime are updating OK.
on a server, for exmaple, i am unable to login as the local administrator (so im guessing the password has been updated?). the LAPS AD attributes also show as blank.
now, i suspect that the OU has not had the permissions updated for the computers.
my question is how do i check the existing configuration - ie. the OUs that 'Set-AdmPwdReadPasswordPermission' was run on?
any suggestions?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello alphadeltaromeo,
How are things going on your end? Please keep me posted on this issue. I appreciate your time and efforts.
Your time is greatly appreciated.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello alphadeltaromeo,
Thank you for posting in our Q&A forum.
Based on the description, I understand all the servers in an OU did not have LAPS password, but the servers have the AD attributes ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime.
Whether it is a parent OU? If so, please run the following commands first on DC (you can change Domain Admins to other administrator account or other admin group depending on your needs).
Set-AdmPwdComputerSelfPermission -OrgUnit OUName
Set-AdmPwdReadPasswordPermission -OrgUnit OUName -AllowedPrincipals "Domain Admins"
Set-AdmPwdResetPasswordPermission -OrgUnit OUName -AllowedPrincipals "Domain Admins"
Q: my question is how do i check the existing configuration - ie. the OUs that 'Set-AdmPwdReadPasswordPermission' was run on?
A: Please check as below:
1.Right click this OU and select Properties.
2.Click Security tab and click Advanced button.
3.Find if there is any entry that you configured on this OU.
4.Click the entry if there is, and click Edit (but you do not need to edit it) button.
5.Check if the specific group or user has Read ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime OR write ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime permissions ( if yes, the corresponding permissions should be Checked).
Hope the information above is helpful.
Best Regards,
Daisy Zhou
===============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.