Hello there, You can use the ADPasswordEncryptionPrincipal policy setting to set a specific security principal for encrypting the password. Windows LAPS supports a password history feature for Windows Server Active Directory domain-joined clients and domain controllers. Password history is supported only when password encryption is enabled. Password history isn't supported if you store clear-text passwords in Windows Server Active Directory. This article might help you in getting insights https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--
Trouble viewing password on new Windows LAPS
Running into some trouble setting permissions within the new Windows LAPS in the Windows Server Active Directory mode. I have my policies set up and my computers are successfully updating AD with Windows LAPS managed passwords. I've confirmed this by logging into AD with a domain admin account and viewing the LAPS tab of a computer object.
However, I'm having trouble setting up access to the Windows LAPS password to my helpdesk users. I've ran the following commands:
Set-LapsADReadPasswordPermission -Identity OUWithComputers -AllowedPrincipals "DOMAIN\HELPDESK GROUP"
Set-LapsADResetPasswordPermission -Identity OUWithComputers -AllowedPrincipals "DOMAIN\HELPDESK GROUP"
However, the help desk receives an error message when viewing the LAPS tab of a computer object "The account's password is encrypted, but you do not have permission to decrypt it."
I had them reboot the computer to ensure that they would get a new token from AD with any changes, but they are still getting this error.
Since Windows LAPS is fairly new, there's not much documentation for troubleshooting. What have I missed to allow my helpdesk to view and reset Windows LAPS passwords?
7 answers
Sort by: Most helpful
-
-
Andres Diaz de Valdes 0 Reputation points
2023-06-18T23:57:58.67+00:00 Any news regarding this? I have the exact same issue for a specific group, when I run the Find-LapsADExtendedRights -Identity "the OU" it shows the specific group that contains the users that should read the password.
-
Michael Eibner 0 Reputation points
2023-07-06T11:37:13.2+00:00 Password encryption is enabled by default.
If password encryption is enabled, you must define a group that is able to decrypt the passwords. This can be done via GPO.
You can also disable password encryption via GPO.
No matter which way you go, it only affects passwords that are rewritten to AD after configuration.
-
Arjan Langendijk 1 Reputation point
2023-07-12T08:23:25.8833333+00:00 Same here. I added a group to the GPO with users from a different forest and triggered a policy update and it gave
The managed account password needs to be updated due to one or more reasons (0x800): The policy was changed to specify a different password encryption target
So we have a password written to the computer account but even though the decrypter group has permissions and is configured it is unreadable.
-
James Andersen 0 Reputation points
2023-07-12T18:22:09.93+00:00 Had this issue myself, after ensuring the group was added via the previously mentioned commands and the GPO, I had to log off the machine using I was using Active Directory Users and Computers on and log back into it, after which it recognized my account's group membership properly and decrypted the passwords.