This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 33%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Running into some trouble setting permissions within the new Windows LAPS in the Windows Server Active Directory mode. I have my policies set up and my computers are successfully updating AD with Windows LAPS managed passwords. I've confirmed this by logging into AD with a domain admin account and viewing the LAPS tab of a computer object.
However, I'm having trouble setting up access to the Windows LAPS password to my helpdesk users. I've ran the following commands:
Set-LapsADReadPasswordPermission -Identity OUWithComputers -AllowedPrincipals "DOMAIN\HELPDESK GROUP"
Set-LapsADResetPasswordPermission -Identity OUWithComputers -AllowedPrincipals "DOMAIN\HELPDESK GROUP"
However, the help desk receives an error message when viewing the LAPS tab of a computer object "The account's password is encrypted, but you do not have permission to decrypt it."
I had them reboot the computer to ensure that they would get a new token from AD with any changes, but they are still getting this error.
Since Windows LAPS is fairly new, there's not much documentation for troubleshooting. What have I missed to allow my helpdesk to view and reset Windows LAPS passwords?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 39%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
What do You receive when You entry it:
Find-LapsADExtendedRights -Identity 'OUWithComputers' ?
is this group "DOMAIN\HELPDESK GROUP" in the list?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 74%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVH%3C/text%3E%3C/svg%3E)
When I enter the command you mention here I do get the desired group. However, this group is added in a later stage. When I first implemented LAPS (a few months ago) only domain admins could read and reset the LAPS-password. The group of service desk users were added yesterday. After I set the rights to read and reset the LAPS password, I forced replication to all domain controllers.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there, You can use the ADPasswordEncryptionPrincipal policy setting to set a specific security principal for encrypting the password. Windows LAPS supports a password history feature for Windows Server Active Directory domain-joined clients and domain controllers. Password history is supported only when password encryption is enabled. Password history isn't supported if you store clear-text passwords in Windows Server Active Directory. This article might help you in getting insights https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 70%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Any news regarding this? I have the exact same issue for a specific group, when I run the Find-LapsADExtendedRights -Identity "the OU" it shows the specific group that contains the users that should read the password.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 89%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EME%3C/text%3E%3C/svg%3E)
Password encryption is enabled by default.
If password encryption is enabled, you must define a group that is able to decrypt the passwords. This can be done via GPO.
You can also disable password encryption via GPO.
No matter which way you go, it only affects passwords that are rewritten to AD after configuration.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 70%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Same here. I added a group to the GPO with users from a different forest and triggered a policy update and it gave
The managed account password needs to be updated due to one or more reasons (0x800): The policy was changed to specify a different password encryption target
So we have a password written to the computer account but even though the decrypter group has permissions and is configured it is unreadable.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 67%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
Had this issue myself, after ensuring the group was added via the previously mentioned commands and the GPO, I had to log off the machine using I was using Active Directory Users and Computers on and log back into it, after which it recognized my account's group membership properly and decrypted the passwords.