LAPS: written password doesn't work

Question

We have been using LAPS for more than one year. Everything was working fine, but last month we got a problem: the password is written to computer account in AD, but it doesn't work. Once I set a new expiration date and restart the computer - it works.
I tried to find any logs in Event Viewer (id 12 and 13) on the domain controller but without success. What are the right Event IDs to troubleshoot LAPS?

Thank you!

Answer 1

Hello @Anahaym ,

Thank you for posting here.

Based on my knowledge, LAPS automatically randomizes the local administrator password on all domain computers with LAPS activated and changes each password regularly.

1.When we deploy LAPS on DC successfully first time and update the GPO on client or restart client, then we will get LAPS corresponding to this client.

2.The LAPS Group Policy Client Side Extension only checks the expiration date that is stored in AD, if the expiration time is reached, and the LAPS will update on the next GP refresh.
I mean when the validity period of the password is one year, then the password has been used for one year.

3.Use the LAPS UI to set the expire time immediately, then the LAPS will update on the next GP refresh.

Q1:but last month we got a problem: the password is written to computer account in AD, but it doesn't work.
A1: Only it meets the requirements above, then it will update LAPS.

1.The machine is in the domain environment.
2.The expiration time is reached
3.The machine can update GPO successfully.

Q2: What are the right Event IDs to troubleshoot LAPS?
A2: From the following links, there is no logs or events on DC to check.

For more information we can refer to link below.

FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 1
https://4sysops.com/archives/faqs-for-microsoft-local-administrator-password-solution-laps/

FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 2
https://4sysops.com/archives/part-2-faqs-for-microsoft-local-administrator-password-solution-laps/

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Hi Daisy Zhou,
thank you for your answer, but all requirements above are followed. Here is the order:

1. new imaged computer
2. LAPS installs by BigFix - the endpoint management software platform
3. local admin is created by BigFix as well
4. GPO applies the LAPS configuration (password complexity and 3 month expiration)
5. local admin password is written to the AD object - that means the LAPS works
6. local admin password is incorrect
7. I set new expiration day - it fixes the issue

Question: why is the newly created password incorrect?

Answer 3

Hello @Anahaym ,

I am so glad to receive your reply.

Here is my test in my lab, and I think this can explain the situation you mentioned.

local admin password is written to the AD object - that means the LAPS works

1. Now you can use the automatically generated LAPS password to log in to the client, but after logging in, the local Administrator can reset the local administrator's password to any other custom password that complies with the password policy.
2. After resetting the password, log out of the computer, and the user can use the new customized password to log in to the client (at this time, the LAPS password assigned by AD cannot be used to log in, and the reset password will not be displayed on the AD computer. Account properties).
3. If this machine needs to be managed, we need to manually reset the LAPS password on the domain controller or wait for the expiration time to reset the password automatically, and then the new LAPS password can be used to log in (this is what you do in step 7).

Summary: For machines in the domain, the local administrator can still manually reset the local administrator password through the local management tool, but the new password will not be reflected in the computer object of AD. At this time, you can only log in with the reset password.
If you manually reset the LAPS password on the domain controller (I set new expiration day manually) or wait for the LAPS password expiration time to automatically reset the LAPS password, let the system reassign a password that complies with the password policy, after that you can use the new LAPS login.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 4

Hello Daisy Zhou,

Now you can use the automatically generated LAPS password to log in to the client

No, I can't login, because password is incorrect.
I don't need to reset the LAPS password, but I need to understand why the LAPS password is incorrect, although it was written in AD.

Answer 5

Hello @Anahaym ,

I am so glad to receive your reply.

Because someone reset the local Administrator password.

For example, we reset password to 123, but 123 does not reflect in AD, but you can not logon this machine with the LAPS in AD, you can only logon this machine with password 123.

You can test it on one of your test domain-joined machine as I mentioned above.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.