Share via

new LAPS doesn't show client computer local password

Anonymous
2024-02-09T06:24:13+00:00

Hi All, 

      I face an issue when deploying the latest LAPS on DC, i have 2 DC in my environment, the DC with fsmo running server 2019 std, and other one running server 2022 datacenter, and i'm now managed to see LAPs under administrator template > system -

after copying LAPS.admx and LAPS.adml to C:\windows\sysvol\domain\policies\policydefinitions folder & en-us, and created GPO as attached. any help would be appreicated

I ran the following in DC server 2022, and i checked in ADUC client computer account property > Attribute Editor - i see all the attribute with LAPS listed there, but in ADUC client computer account property > LAPS i don't see any password listed there.

ipmo LAPS

gcm -Module LAPS

Update-LapsAdSchema

update-LapsAdSchema -Verbose

Questions:

  • do i need to extend active directory schema on all DC

I read the documentation thati need to have my server 2022
DC to have April 2023 Update & Windows Server 2016 Domain Functional Level first, also all DC need to otherwise it will throw an error, but i need to fix 0x80070643 error first

Best Regards,

Keith![](https://filestore.community.support.microsoft.com/api/images/ceebfc4c-fa72-4546-8c0c-1be83a2035ed?upload=true&fud_access=wJJIheezUklbAN2ppeDns8cDNpYs3nCYjgitr%2BfFBh2dqlqMuW7np3F6Utp%2FKMltnRRYFtVjOMO5tpbpW9UyRAwvLeec5emAPixgq9ta07Dgnp2aq5eJbnfd%2FU3qhn54WDJFNreeZp4XvCpEw98zEED4DEv0xUymow%2FZiBT%2F4Yx6oeDfwwnj6TWtavXHv7DPttd0KsQRJeAw88SMOM6eCf7RJbLlZFP5BkKRawDR91wvpvznDBjL8cSX%2FKSv4qkbyya9ny%2BcnLrIlfTsG5tk0Lqe5p%2Fn%2B0kPRTPHBiRvOOY%2B%2FR3LdBIJZBH7pRPkCEhev1fbHczg6TNxCPZPwQsdjNlxXx1GxVeVhqNIMjCgvE55evMLWCkgURM%2FUQ9cLXQKMxF%2BgzVp0oVk1PhvFmFwadce2Tlln3sgg3ytlIjXf7I%3D)![](https://filestore.community.support.microsoft.com/api/images/bbb0c1bf-4b19-43a1-a622-59cda97e9e39?upload=true&fud_access=wJJIheezUklbAN2ppeDns8cDNpYs3nCYjgitr%2BfFBh2dqlqMuW7np3F6Utp%2FKMltnRRYFtVjOMO5tpbpW9UyRAwvLeec5emAPixgq9ta07Dgnp2aq5eJbnfd%2FU3qhn54WDJFNreeZp4XvCpEw98zEED4DEv0xUymow%2FZiBT%2F4Yx6oeDfwwnj6TWtavXHv7DPttd0KsQRJeAw88SMOM6eCf7RJbLlZFP5BkKRawDR91y3RRhPa04GyHz%2FvpZ%2FqfoH2ROHT5WBzPwfYtnyUtgQ838AEFFzDbEhIXADk3pz%2BbtRqPjoXLzEmiXZGBxLi18jZW%2FapHxUerVcYIRYEoUnghTh%2B45ctvN8v8%2BwuTOsf2ftDdRPEBys0uBqLTY%2BfDbYoz1UkQbrVKYodOj3Kd%2BB7H2cYKu3Wxrprf6Vxu4FQIU%3D)

Windows for business Windows Server Directory services Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-02-12T03:20:10+00:00

    Hello keith li_1210,

    Thank you for posting in Microsoft Community forum.

    Did you configured legacy Microsoft LAPS side-by-side with Windows LAPS?

    If so, did you configure Windows LAPS and the legacy LAPS to manage different local accounts on the same domain machine?

    Is it supported to run legacy Microsoft LAPS side-by-side with Windows LAPS?

    Yes, this scenario is supported with the following conditions. A new Windows LAPS policy must be configured, and you must take care to configure Windows LAPS and the legacy LAPS to manage different local accounts.

    Windows LAPS frequently asked questions | Microsoft Learn

    do i need to extend active directory schema on all DC

    A1: No, you need to extend active directory schema on one DC (on DC with schema master role, you can check which DC holds the schema master by running netdom query fsmo).

    I read the documentation thati need to have my server 2022DC to have April 2023 Update & Windows Server 2016 Domain Functional Level first, also all DC need to otherwise it will throw an error, but i need to fix 0x80070643 error first.
    A2: It should generate LAPS password with Clear-text password storage supported below 2016 DFL.

    Domain functional level and domain controller OS version requirements

    If your domain is configured below 2016 Domain Functional Level (DFL), you can't enable Windows LAPS password encryption period. Without password encryption, clients can only be configured to store passwords in clear-text (secured by Active Directory ACLs) and DCs can't be configured to manage their local DSRM account.

    Once your domain reaches 2016 DFL, you can enable Windows LAPS password encryption. However, if you're still running any WS2016 DCs, those WS2016 DCs don't support Windows LAPS and therefore can't use the DSRM account management feature.

    It's fine to use supported operating systems older than WS2016 on your domain controllers as long as you're aware of these limitations.

    Get started with Windows LAPS and Windows Server Active Directory | Microsoft Learn

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments