This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 99%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYP%3C/text%3E%3C/svg%3E)
Greetings,
I have installed and deployed LAPS (Local Administrator Password Solution) on a new Windows Server 2022 Standard (21H2) with RSAT to the Domain Controller, using the following guide: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-guide-how-to-configure-microsoft-local/ba-p/2806185. I tested it on a couple of computers and it worked perfectly. Unfortunately the server had crashed (for different reasons, nothing to do with LAPS) and I had to reinstall it, since I had no snapshots made for this virtual machine. I reinstalled LAPS exactly the same way, but now it doesn't update any passwords, nor giving new ones to newly joined machines. Both the logs of the server and the local machines show no information regarding LAPS, the only error that I get is this one, when I run Reset-LapsPassword:
Reset-LapsPassword : The request failed because the machine is not configured to backup the managed account password to either Active
Directory or Azure Active Directory.
At line:1 char:1
+ Reset-LapsPassword
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotEnabled: (:) [Reset-LapsPassword], LapsPowershellException
+ FullyQualifiedErrorId : LAPS is not enabled on this machine,Microsoft.Windows.LAPS.ResetLapsPassword
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Yavor Petrunov,
Thank you for your reply. I will post the answer from you.
"With great pleasure I'm announcing that the issue has been fixed. After hours of troubleshooting, me and the team finally made a breakthrough. The issue was fixed by deleting the GPO that deployed LAPS and made the configuration from a new GPO."
Please help click Accept Answer button to help more people with similar problem.
Thank you very much.
Best Regards,
Daisy Zhou
Hello Yavor Petrunov,
Thank you for posting in our Q&A forum.
Based on the LAPS guide you deployed mentioned above, I understand you are deploying legacy Microsoft LAPS PowerShell, not Windows LAPS PowerShell.
What is Windows LAPS?
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
If so, the error message about Reset-LapsPassword you ran is not applied for legacy Microsoft LAPS PowerShell, so I think the error occurs should be normal.
For "now it doesn't update any passwords", I think it might be any misconfiguration or something we did not configure.
For example:
1.Maybe gpo did not applied
2.LAPS did not installed on clients.
3.Schema did not update.
4.Permission issue.
5.Others.
I suggest you can follow the link you mentioned above to check again and find any problem.
Hope the information above is helpful. If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Greetings Daisy Zhou,
Thank you for your fast response. I apologize for my mistake regarding legacy Microsoft LAPS PowerShell, not Windows LAPS PowerShell. I was sharing that detail, because I was trying to give as much details as possible regarding this issue.
For "now it doesn't update any passwords" I checked everything even before I posted this question, but I am going to confirm it again now:
Hello Yavor Petrunov,
Thank you for your reply.
Here is a similar thread I replied in the past for your reference. You can try to check all the steps and troubleshoot method.
Best Regards,
Daisy Zhou
Greetings Daisy Zhou
Thank you for the reply.
I reviewed your past replies in the thread you provided. I checked if the LAPS policy is in conflict with the Default Domain Policy (that's where the password requirements are set) and it is not (attached screenshot).
I also tried to copy the LAPS.admx and LAPS.adml files from the client machine to the server, where I installed LAPS and still the effect was the same.
However I was able to make some progress, before I opened this thread, that I forgot to mention. When I ran the AdmPwd.UI.exe tool, I was able to update the password expiration time to the client machine (but I wasn't able to assign a password at all)
I also noticed that before the reinstallation of the server, LAPS applied on a couple of test computers that have an admin password stored, but I can't force change that password via LAPS
Hello Yavor Petrunov,
Thank you for your reply.
So did you mean it can not generate a password for the client, am I right?
If so, you can check the permission like (as in the similar thread):
Adding Machine Rights:
We need to delegate right to allow the computer object to write to the ms-MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=xxx,DC=xxx,DC=xxx"
Best Regards,
Daisy Zhou
Hello Daisy Zhou,
Thank you for the reply.
I added the machine rights at the very beginning, after the LAPS installation, but for testing I did it again, and unfortunately that still didn't fix the issue. Attached are the screenshots:
Hello Yavor Petrunov,
Thank you for your reply.
We can check from the following three points:
1.What account did you logon the management server? Does that account have permission to view the password.
2.What object did you put in this OU (you run command on the OU Set-AdmPwdComputerSelfPermission -OrgUnit "OU=xxx,DC=xxx,DC=xxx")? We should put computer object.
3.Whether all the computer machines in the OU have not generate password?
If so, you can check the permission on the OU (for example).
4.And you can check the permissions on one machine.
Hope the information above is helpful. If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Greetings Daisy Zhou,
Thank you for your reply.
The answer to those three points:
Hello Yavor Petrunov,
Thank you for your reply.
It seems all is fine.
I suggest you can redeploy the LAPS once from scratch.
Best Regards,
Daisy Zhou
Greetings Daisy Zhou,
Could you please give me a detailed guide on how to do that, because that was my last attemp to fix the issue before I submitted this question?
Best Regards,
Yavor Petrunov
Hello Yavor Petrunov,
Thank you for your reply.
1.Please check your client OS is x86 or x64.
2.You can try to set an expiration time on LAPS UI and update gpo on client and check if the password will generate.
3.Meanwhile, you can download the LAPS_OperationGuide.docx to redeploy LAPS or check issue.
Download link.
https://www.microsoft.com/en-us/download/details.aspx?id=46899
Best Regards,
Daisy Zhou
Greetings Daisy Zhou,
Thank you for your reply.
Unfortunately, this method also didn't solve the issue. Is it possible to establish a remote connection to troubleshoot live or any other suggestions? I am getting desperate here. Apologies for the inconvenience.
Best Regards,
Yavor Petrunov
Hello Yavor Petrunov,
Thank you for your reply.
I am sorry, the forum support method is that we answer your question in forum. If you want to call and/or remote session support, I suggest you can open a service request based in the steps in the link below.
https://support.microsoft.com/en-us/gp/customer-service-phone-numbers
Thank you for your understanding.
Best Regards,
Daisy Zhou
Greetings,
With great pleasure I'm announcing that the issue has been fixed. After hours of troubleshooting, me and the team finally made a breakthrough. The issue was fixed by deleting the GPO that deployed LAPS and made the configuration from a new GPO.
Thank you very much for your cooperation.
Best regards,
Yavor Petrunov
Hello Yavor Petrunov,
Thank you for your reply.
I am so glad that the issue has been resolved.
Thank you for your update and sharing again.
You can accept your answer by clicking "Accept Answer".
Best Regards,
Daisy Zhou
Greetings Daisy Zhou,
I already tried to click the "Accept Answer", but that option has been grayed out for me
I did. Either way I wouldn't be able to post or comment from my profile
Hello Yavor Petrunov,
So you can not "Accept Answer" button under my answer, either?
Can you click "Accept Answer" button in other thread you post?
Also, you can open browser and reopen thread and sign in your account to check if it helps.
Best Regards,
Daisy Zhou
Greetings Daisy Zhou,
I can click on "Accept Answer" under your answer
I don't know If I can "Accept Answer" on another post, because this is my first one. I tried signing in in incognito mode and tried restarting the browser as well. Still grayed out
Best regards,
Yavor Petrunov
Hello Yavor Petrunov,
Thank you for your reply.
It seems you cannot accept your own reply as answer. But you can accept my reply or other responders‘ reply as answer. I mean one can not accept himself/herself answer.
Best Regards,
Daisy Zhou
Greetings Daisy Zhou,
Thank you for your reply.
Unfortunately your reply to the solution is not a reply, it's a comment. Could you please write the solution as a reply and I will accept it?
Best regards,
Yavor Petrunov
Hello Yavor Petrunov,
Would you please tell me which comment from me (with screenshot)? Then I will post in answer instead of comment.
Thank you!
Best Regards,
Daisy Zhou