After server reinstallation, LAPS stopped working

Yavor Petrunov 20 Reputation points
2023-08-03T07:44:49.0833333+00:00

Greetings,

I have installed and deployed LAPS (Local Administrator Password Solution) on a new Windows Server 2022 Standard (21H2) with RSAT to the Domain Controller, using the following guide: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-guide-how-to-configure-microsoft-local/ba-p/2806185. I tested it on a couple of computers and it worked perfectly. Unfortunately the server had crashed (for different reasons, nothing to do with LAPS) and I had to reinstall it, since I had no snapshots made for this virtual machine. I reinstalled LAPS exactly the same way, but now it doesn't update any passwords, nor giving new ones to newly joined machines. Both the logs of the server and the local machines show no information regarding LAPS, the only error that I get is this one, when I run Reset-LapsPassword:

Reset-LapsPassword : The request failed because the machine is not configured to backup the managed account password to either Active
 Directory or Azure Active Directory.
At line:1 char:1
+ Reset-LapsPassword
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotEnabled: (:) [Reset-LapsPassword], LapsPowershellException
    + FullyQualifiedErrorId : LAPS is not enabled on this machine,Microsoft.Windows.LAPS.ResetLapsPassword
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2023-08-14T08:28:48.6966667+00:00

    Hello Yavor Petrunov,

    Thank you for your reply. I will post the answer from you.

    "With great pleasure I'm announcing that the issue has been fixed. After hours of troubleshooting, me and the team finally made a breakthrough. The issue was fixed by deleting the GPO that deployed LAPS and made the configuration from a new GPO."

    Please help click Accept Answer button to help more people with similar problem.
    Thank you very much.

    Best Regards,
    Daisy Zhou

    1 person found this answer helpful.
    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Anonymous
    2023-08-04T03:49:33.3166667+00:00

    Hello Yavor Petrunov,

    Thank you for posting in our Q&A forum.

    Based on the LAPS guide you deployed mentioned above, I understand you are deploying legacy Microsoft LAPS PowerShell, not Windows LAPS PowerShell.

    What is Windows LAPS?
    https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview

    If so, the error message about Reset-LapsPassword you ran is not applied for legacy Microsoft LAPS PowerShell, so I think the error occurs should be normal.
    laps

    https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-powershell#windows-laps-powershell-vs-legacy-microsoft-laps-powershell

    For "now it doesn't update any passwords", I think it might be any misconfiguration or something we did not configure.

    For example:
    1.Maybe gpo did not applied
    2.LAPS did not installed on clients.
    3.Schema did not update.
    4.Permission issue.
    5.Others.

    I suggest you can follow the link you mentioned above to check again and find any problem.

    1. Review Prerequisites
    2. Install Microsoft LAPS
    3. Update Active Directory Schema
    4. Change Computer object permissions
    5. Assign permissions to the group for password access
    6. Install CSE in Computers
    7. Create GPO for LAPS settings
    8. Testing.

    Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


  2. Anonymous
    2023-08-07T07:57:56.89+00:00

    Hello Yavor Petrunov,

    Thank you for your reply.

    We can check from the following three points:

    1.What account did you logon the management server? Does that account have permission to view the password.

    2.What object did you put in this OU (you run command on the OU Set-AdmPwdComputerSelfPermission -OrgUnit "OU=xxx,DC=xxx,DC=xxx")? We should put computer object.

    3.Whether all the computer machines in the OU have not generate password?
    If so, you can check the permission on the OU (for example).
    LAPS1

    4.And you can check the permissions on one machine.

    laps2

    laps3

    Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


  3. Yavor Petrunov 20 Reputation points
    2023-08-11T07:03:31.2066667+00:00

    Greetings,

    With great pleasure I'm announcing that the issue has been fixed. After hours of troubleshooting, me and the team finally made a breakthrough. The issue was fixed by deleting the GPO that deployed LAPS and made the configuration from a new GPO.

    Thank you very much for your cooperation.

    Best regards,

    Yavor Petrunov


  4. Yavor Petrunov 20 Reputation points
    2023-08-11T07:41:45.8066667+00:00

    Greetings Daisy Zhou,

    I can click on "Accept Answer" under your answer User's image

    I don't know If I can "Accept Answer" on another post, because this is my first one. I tried signing in in incognito mode and tried restarting the browser as well. Still grayed out

    Best regards,

    Yavor Petrunov


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.