Migrating from old to new LAPS doesn't work

Franz Schenk 341 Reputation points
2024-02-29T16:08:39.52+00:00

New LAPS doesn't work. The computer password is not visible in the LAPS Tab of "ad users and computers". In the eventlog, there are only 10003/10004 messages (Laps policy processing succeeded) and 10024 messages (LAPS policy is configured as disabled.).

  • Have run Update-LapsADSchema again with the verbose switch. No errors
  • Implemented new LAPS according https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory
  • Have tried to execute "Set-LapsADComputerSelfPermission -Identity LAPS-Pilotserver". This doesn't work (error "the search filter is invalid"). But when executing the same command with the full DN Name of the OU "LAPS-Pilotserver" the command works.
  • There must be an issue with the rights to read the passwords. When running "Find-LapsADExtendedRights", I get only the OU. According the documentation, the domain admin group should be in the list. Tried to add this group with "set-lapsADReadPassworPermission. The command works without an error. But ""Find-LapsADExtendedRights" is still empty. See the two printscreens below.

Thank you all in advance for any advice!

Franz

find-laps

set-laps

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,704 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Daisy Zhou 22,476 Reputation points Microsoft Vendor
    2024-03-01T02:09:44.5566667+00:00

    Hello Franz Schenk,

    Thank you for posting in Microsoft Community forum.

    Have tried to execute "Set-LapsADComputerSelfPermission -Identity LAPS-Pilotserver". This doesn't work (error "the search filter is invalid"). But when executing the same command with the full DN Name of the OU "LAPS-Pilotserver" the command works.

    A: You can also use the DN in the command.

    There must be an issue with the rights to read the passwords. When running "Find-LapsADExtendedRights", I get only the OU. According the documentation, the domain admin group should be in the list.

    A: It seems the DN of the OU is too long, you can not see the part of ExtendedRightHolders from the command result (I can see ... from the result).

    You can try to copy and paste the result on the first screenshot to check the result.

    Or you can export the result on the first screenshot to one txt file to check the result.

    1.Please check if you can see the LAPS pasword via command Get-LapsADPassword -Identity ComputerName -AsPlainText

    Note: you should change the computername using one machine name in the OU.

    2.Please check if you have configured password policy within one GPO and link the GPO to the OU.

    References:

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/windows-laps-troubleshooting-guidance

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/windows-laps-troubleshooting-guidance

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Franz Schenk 341 Reputation points
    2024-03-01T09:24:17.8066667+00:00

    Hello @daisy zhou, thank you for you reply.

    • The output from "Find-LapsADExtendedRights" is exactly as showed in the printscreen. There is not more information, even if I copy the entire content from the powershell window.

    ObjectDN


    OU=LAPS-Pilotserver,OU=WSUS_AutoUpdate_W3_Tuesday,OU=Servers,OU=Computers,OU=Company_CH,OU=Company,DC=bim3110,DC=Company,D...

    PS C:\Windows\system32>

    • I checked several times that the new LAPS GPO is applied successfully on the systems of the OU "LAPS-Pilotserver"
    • Get-LapsADPassword -Identity ComputerName -AsPlainText works, but shows the password and the last password change from the legacy LAPS solution

    There must be a conflict between the legacy and the new LAPS. As I wrote, I have periodically this 10024 event "LAPS policy is configured as disabled." on the DCs. And unfortunately, the Microsoft trobleshooting guide that you mentioned has not one word about this event.

    I have also verified that no old LAPS GPO is applied to the DCs or to the LAPS Pilot Systems, and I also have removed the Legacy LAPS Password solution software from all these systems.

    Thank you in advance for any further advice.

    Franz


  3. Franz Schenk 341 Reputation points
    2024-03-04T15:26:43.1633333+00:00

    Was able to solve the problem: The test system was on an old patch level, November 2022. The new LAPS was introduced mid 2023.

    birappl18

    What I still can't understand and what leads me to the wrong troubleshooting way is that Find-LapsADExtendedRights still doesn't show the "Domain Admins" as a result.

    find-laps

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.