LAPS - Issues if password manually changed on Client & permissions

raja waseem 51 Reputation points

LAPS deployed successfully on few PCs under one OU and initially client's local administrator password set was successful.
But there are 2 things making issues:

1- PC1 password set through LAPS but logged in user changes the password to 1234 so that will not be replicated to the AD and LAPS keeps on showing the old password while PC logging-in only with password 1234 ...
I did password Expiry immediately through LAPS but still the password not updated on the client machine even after gpudate and reboot.
Is there any way to overcome this? How to know that what password currently set for clients?

2- LAPS installed in one of the server (not on DC) ... how to give access to Technical team users to manage the LAPS without providing access to the management server?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,325 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,011 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 39,436 Reputation points

    Hello Raja,

    1. To know the password

    first load the LAPS powershell module on the management server and run

    get-admpwdpassword -computername “targethostname”

    1. For delegating LAPS rights:

    Delegate rights to an AD user or group to view the password and reset time attributes

    On the computer that the LAPS management utilities are installed on, open a PowerShell prompt with an account that has Domain Admin rights
    Run the command to import the LAPS PowerShell module
    Import-Module AdmPwd.PS
    Run the command to delegate read access to a specific user or group. Replace OU Name with the name of the OU that the user or group will be able to read the attributes for. Replace User or Group Name with the name of the user or group that will be delegated the read permission. Multiple users or groups can be specified in a comma separated list.
    Set-AdmPwdReadPasswordPermission –Identity “OU Name” –AllowedPrincipals “User or Group Name”

    hope it helps! don't forget to vote if useful or mark as a answer if it resolved your query!

    Best regards,
    Luis P

    1 person found this answer helpful.
    0 comments No comments

  2. raja waseem 51 Reputation points

    Thanks for the reply.

    2- It's clear

    1- So when GPO is deployed it set the password on the client? and we need to reboot the client machine to set password through LAPS?

    0 comments No comments

  3. Limitless Technology 39,436 Reputation points

    Hi @raja waseem

    Sorry I missed that part on point 1.

    What I posted, was to "get" the current password on a specific machine, so you can track the change.

    About the password not updated/expired, since LAPS is GPO based it could be a policy application issue or policy update. That highly depends how your GPO settings are configured but is a good point to start checking. Does it happen in few clients or in all clients??

    Other option to troubleshot it is to find events from "AdmPwd" source in the Application Event log, both on Client and Server.

    Could be also that not all your computers use the same admin account (for example for one is the "Administrator" built in, other AdmLaptops, or similar) but by default LAPS is setup to manage only the built-in Administrator account. Otherwise, I would recommend to set a new Admin account name homogenously on the environment and change the policy: "Name of the administrator account to manage".

    Check the installation on the failing clients if it was deployed by using the policy Computer Configuration->Policies->Software Settings->Right click Software Installation and click New->Package , as some might not have installed correctly.

    0 comments No comments