Trouble viewing password on new Windows LAPS

Ben 36 Reputation points

Running into some trouble setting permissions within the new Windows LAPS in the Windows Server Active Directory mode. I have my policies set up and my computers are successfully updating AD with Windows LAPS managed passwords. I've confirmed this by logging into AD with a domain admin account and viewing the LAPS tab of a computer object.

However, I'm having trouble setting up access to the Windows LAPS password to my helpdesk users. I've ran the following commands:

Set-LapsADReadPasswordPermission -Identity OUWithComputers -AllowedPrincipals "DOMAIN\HELPDESK GROUP"

Set-LapsADResetPasswordPermission -Identity OUWithComputers -AllowedPrincipals "DOMAIN\HELPDESK GROUP"

However, the help desk receives an error message when viewing the LAPS tab of a computer object "The account's password is encrypted, but you do not have permission to decrypt it."

I had them reboot the computer to ensure that they would get a new token from AD with any changes, but they are still getting this error.

Since Windows LAPS is fairly new, there's not much documentation for troubleshooting. What have I missed to allow my helpdesk to view and reset Windows LAPS passwords?

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,829 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Limitless Technology 43,996 Reputation points

    Hello there, You can use the ADPasswordEncryptionPrincipal policy setting to set a specific security principal for encrypting the password. Windows LAPS supports a password history feature for Windows Server Active Directory domain-joined clients and domain controllers. Password history is supported only when password encryption is enabled. Password history isn't supported if you store clear-text passwords in Windows Server Active Directory. This article might help you in getting insights Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  2. Andres Diaz de Valdes 0 Reputation points

    Any news regarding this? I have the exact same issue for a specific group, when I run the Find-LapsADExtendedRights -Identity "the OU" it shows the specific group that contains the users that should read the password.

    0 comments No comments

  3. Michael Eibner 0 Reputation points

    Password encryption is enabled by default.

    User's image

    If password encryption is enabled, you must define a group that is able to decrypt the passwords. This can be done via GPO.

    You can also disable password encryption via GPO.

    No matter which way you go, it only affects passwords that are rewritten to AD after configuration.

    0 comments No comments

  4. Arjan Langendijk 1 Reputation point

    Same here. I added a group to the GPO with users from a different forest and triggered a policy update and it gave

    The managed account password needs to be updated due to one or more reasons (0x800): The policy was changed to specify a different password encryption target

    So we have a password written to the computer account but even though the decrypter group has permissions and is configured it is unreadable.

    0 comments No comments

  5. James Andersen 0 Reputation points

    Had this issue myself, after ensuring the group was added via the previously mentioned commands and the GPO, I had to log off the machine using I was using Active Directory Users and Computers on and log back into it, after which it recognized my account's group membership properly and decrypted the passwords.

    0 comments No comments