Windows LAPS - 10024 LAPS policy is configured as disabled

Question

We had a working Microsoft LAPS. However, we decided we wanted Windows LAPS so we:

• deleted the legacy LAPS GPO, create new LAPS GPO using new admx
• uninstalled the legacy LAPS GUI from the server
• uninstalled the legacy LAPS agent from workstations
• deployed the new laps https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory [

](https://i.stack.imgur.com/iQYGz.png)

However, the Windows LAPS is doing nothing. The event viewer is showing successions of events 10003, 10024, and 10004. 10024 LAPS policy is configured as disabled.

[

](https://i.stack.imgur.com/wzz0z.png)

Moreover, the ADUC computer properties are showing the LAPS tab but blank account name and password. [

](https://i.stack.imgur.com/RRq39.png)

We rerun the configuration but we cannot seem to find what is amiss. We checked the Windows hotfix and we have the "2023-11 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5032196)".

We have Windows Server 2019 but we have "Windows 2012 R2" domain functional level.

Answer 1

The problem for me is mainly that we upgraded our server 2012 to 2019 but did not raise the domain functional level to 2016. The new LAPS need to be at 2016 domain functional level.

Likewise, the event logs of the DC are not helpful. LAPS is now working but the events still show a succession of 10003, 10024, and 10004 events.

The key to solving our LAPS problem, which I thought I read from here, is to check the events in the client computers instead. The LAPS event in the client computers shows specific errors, like the DC must be at 2016 domain functional level.

Solution: check the LAPS event log of the client computer, not the DC