How do I troubleshoot LAPS for one server?

Question

I currently have about 15 servers in my domain. I've installed LAPS on all of them and they all work fine, except one.

This server is in its own OU. On this server I have verified that LAPS is installed correctly, rsop shows that the GPO is being properly applied, and I have run Set-AdmPwdComputerSelfPermission -Identity “OU Name” multiple times with no errors. Verified I set it for the correct OU. Checked the permissions on that device in the OU and SELF has read and write permissions on the ms-MCS permissions.

Yet for some reason when I check the event log I see the AdmPwd error 0x80070032. Could not write changed password to AD.
I've checked net user and the password has not been changed.

How can I troubleshoot where the process is failing?

Answer 1

Hi there,

AdmPwd error 0x80070032 could be due to missing Write permission on ms-MCS-AdmPwdExpirationTime and ms-MCS-AdmPwd attributes of all computer accounts to the SELF built-in account.

To make sure computer accounts can update the password and expiration timestamp of their own built-in Administrator password, we need to add the Write permission on ms-MCS-AdmPwdExpirationTime and ms-MCS-AdmPwd attributes of all computer account to the SELF built-in account. And we can use the following PowerShell to do this:

Set-AdmPwdComputerSelfPermission –Identity ManagedWorkstations –Verbose

Below threads discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

Event ID 7 “Could not write the changed password to AD. Error 0x80070032 https://social.technet.microsoft.com/Forums/Lync/en-US/87e06e3f-3678-47f3-a4de-adfc5d34924e/event-id-7-8220could-not-write-changed-password-to-ad-error-0x80070032?forum=winserver8gen

---

--If the reply is helpful, please Upvote and Accept it as an answer–