Hello @Anahaym ,
Thank you for posting here.
Based on my knowledge, LAPS automatically randomizes the local administrator password on all domain computers with LAPS activated and changes each password regularly.
1.When we deploy LAPS on DC successfully first time and update the GPO on client or restart client, then we will get LAPS corresponding to this client.
2.The LAPS Group Policy Client Side Extension only checks the expiration date that is stored in AD, if the expiration time is reached, and the LAPS will update on the next GP refresh.
I mean when the validity period of the password is one year, then the password has been used for one year.
3.Use the LAPS UI to set the expire time immediately, then the LAPS will update on the next GP refresh.
Q1:but last month we got a problem: the password is written to computer account in AD, but it doesn't work.
A1: Only it meets the requirements above, then it will update LAPS.
1.The machine is in the domain environment.
2.The expiration time is reached
3.The machine can update GPO successfully.
Q2: What are the right Event IDs to troubleshoot LAPS?
A2: From the following links, there is no logs or events on DC to check.
For more information we can refer to link below.
FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 1
https://4sysops.com/archives/faqs-for-microsoft-local-administrator-password-solution-laps/
FAQs for Microsoft Local Administrator Password Solution (LAPS) - Part 2
https://4sysops.com/archives/part-2-faqs-for-microsoft-local-administrator-password-solution-laps/
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.