Share via

LAPS Implementation on a custom Account

JOYLEEN JEBET 0 Reputation points
2026-03-02T12:37:31.25+00:00

I recently deployed Manage engine's endpoint central and configured it to remove local admin accounts. with this, since we still needed local admin accounts to join computers to the domain, when they lose trust, I created from endpoint central an account and added it to the administrator group. but to manage this account, we opted for LAPs to manage it to avoid it's password being shared among administrators. The problem is, the account is present in the computers, but from the laps tab, It is populating for some computers and others it's still blank. Also, when I try to login using the laps generated password, it's failing but accepts the previous password, despite multiple gpupdate /force attempts. What could be causing this?
Please note, we are using the in-built LAPS

Windows for business | Windows Server | Directory services | Active Directory
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kate Pham (WICLOUD CORPORATION) 585 Reputation points Microsoft External Staff Moderator
    2026-03-03T03:56:26.83+00:00

    Hi Joyleen Jebet,

    Thank you for reaching out to Microsoft Q&A community and wish you have a good day!

    Allow me to address your concerns on bellow answer. There are several possible causes for the issues you're experiencing:

     

    1. Password Attribute Blank in LAPS Tab:
      • This can occur if the password validation fails against the local password policy. If the domain password policy is stricter than the LAPS policy (e.g., requiring more complexity or longer passwords), LAPS may not generate a password that meets the requirements, resulting in blank attributes.
      • Ensure that the LAPS password complexity and length settings match or exceed the domain/local password policy. For example, if the domain requires a minimum length of 14 characters and complexity, LAPS must be configured to generate passwords with at least 14 characters and include large letters, small letters, numbers, and special characters.
    2. Login Fails with LAPS Password, Accepts Previous Password:
      • This can happen if the computer has lost its secure channel with the domain (trust relationship failed) and the registry has reverted to an older state (e.g., after a snapshot or system restore). The password stored in the registry may not match the current password in AD, so the LAPS password in AD is not valid for login.
      • In such cases, the computer tries to authenticate with the old password, leading to login failures with the LAPS password. You may need to re-establish the secure channel or reset the computer account in the domain.
    3. Account Not Managed by LAPS:
      • If the account name configured in LAPS policy does not match the actual administrator account name on the computer, LAPS will not manage the password for that account. Double-check that the account name in the LAPS policy matches the account created by Endpoint Central.

    Workarounds to refer:

    • Align LAPS password settings with domain/local policy requirements.
    • Ensure the account name in LAPS policy matches the actual account.
    • Re-establish secure channel for computers with trust issues.
    • Run gpupdate /force and check event logs for errors related to password policy or account name mismatches.

    I hope it can help. If you believe this information adds some value, please accept the answer so that your experience with the issue would help contribute to the whole community.

     

    T&R,

    Kate.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.