LAPS Troubleshooting

By /

Let’s walk through setting up Microsoft LAPS (Local Administrator Password Solution) in an Active Directory (AD) environment and address common troubleshooting scenarios. I’ll focus on Windows LAPS, as Microsoft has deprecated the legacy version and recommends using Windows LAPS (built into Windows 10, 11, and Server 2019/2022 as of 2023). I’ll provide a step-by-step setup guide, followed by troubleshooting tips for common issues. This will be practical, detailed, and tailored for an AD domain environment, assuming you’re an IT admin with access to a domain controller and client devices.

Setting Up Windows LAPS in Active Directory

Prerequisites

Before starting, ensure you have:

  • A Windows domain environment with at least Windows Server 2016 Domain Functional Level (DFL) for full features like password encryption.
  • Admin access to a domain controller (for schema updates and permissions).
  • Client devices running Windows 10 (20H2 or later), Windows 11, or Windows Server 2019/2022.
  • PowerShell 5.1 or later on the admin machine for running LAPS cmdlets.
  • A test OU (Organizational Unit) with a few computer objects to apply the policy initially.

Step 1: Extend the Active Directory Schema

Windows LAPS requires new attributes in AD to store passwords and metadata. You need to extend the schema, which is a one-time operation.

  1. Log in to a Domain Controller:
  • Use an account with Schema Admin and Enterprise Admin privileges.
  • Open PowerShell as Administrator.
  1. Run the Schema Update:
  • Use the LAPS PowerShell module, which is built into supported Windows versions.
  • Run the following command:
    powershell Update-LapsADSchema
  • This adds attributes like msLAPS-EncryptedPassword, msLAPS-PasswordExpirationTime, and others to the AD schema.
  • If successful, you’ll see no errors. If you encounter permission issues, ensure your account has Schema Admin rights.
  1. Verify the Schema Update:
  • Open Active Directory Schema (requires the Active Directory Schema snap-in to be registered: regsvr32 schmmgmt.dll).
  • Check for the new msLAPS- attributes under the computer class.

Step 2: Set Permissions in Active Directory

LAPS requires specific permissions for computers to update their own passwords and for admins to read them.

  1. Grant Computers Permission to Update Their Passwords:
  • Computers need the “SELF” permission to write to their own LAPS attributes.
  • Run this PowerShell command, replacing the OU path with your target OU:
    powershell Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=yourdomain,DC=com"
  • This allows computers in the specified OU to update their msLAPS- attributes.
  1. Grant Admins Permission to Read Passwords:
  • By default, only Domain Admins can read LAPS passwords. Delegate access to a group (e.g., “IT_Admins”) for better security.
  • Run:
    powershell Set-LapsADReadPasswordPermission -Identity "OU=Workstations,DC=yourdomain,DC=com" -AllowedPrincipals "yourdomain\IT_Admins"
  • If using password encryption (Step 4), also grant decryption permissions:
    powershell Set-LapsADEncryptedPasswordPermission -Identity "OU=Workstations,DC=yourdomain,DC=com" -AllowedPrincipals "yourdomain\IT_Admins"

Step 3: Create and Configure a Group Policy Object (GPO)

LAPS settings are deployed via Group Policy to manage client devices.

  1. Open Group Policy Management:
  • On a domain controller or admin workstation, open gpedit.msc or the Group Policy Management Console (gpmc.msc).
  1. Create a New GPO:
  • Right-click your target OU (e.g., “Workstations”) and select “Create a GPO in this domain, and Link it here.”
  • Name it, e.g., “LAPS Policy.”
  1. Edit the GPO:
  • Right-click the GPO and select “Edit.”
  • Navigate to: Computer Configuration > Policies > Administrative Templates > System > LAPS.
  • Configure the following settings:
    • Enable local admin password management: Set to “Enabled.”
    • BackupDirectory: Set to “2” (Active Directory).
    • Password Settings: Configure complexity (e.g., 4 for letters, numbers, symbols), length (e.g., 14), and age (e.g., 30 days).
    • AdministratorAccountName: Specify the local admin account to manage (e.g., “LocalAdmin”). If blank, it defaults to the built-in Administrator.
    • ADPasswordEncryptionEnabled: Set to “Enabled” (requires 2016 DFL).
    • ADPasswordEncryptionPrincipal: Set to “yourdomain\IT_Admins” (the group allowed to decrypt passwords).
  1. Apply the GPO:
  • Ensure the GPO is linked to the correct OU.
  • Run gpupdate /force on a client device to apply the policy immediately, or wait for the next Group Policy refresh (typically 90 minutes).

Step 4: Verify LAPS Functionality on Client Devices

  1. Check Policy Application:
  • On a client device in the OU, run:
    powershell gpupdate /force
  • Verify the policy applied by checking the Event Viewer under Applications and Services > Microsoft > Windows > LAPS. Look for event 10018 (successful password update).
  1. Retrieve the Password:
  • On an admin machine, use PowerShell to retrieve the password:
    powershell Get-LapsADPassword -Identity "ComputerName" -AsPlainText
  • Replace “ComputerName” with the name of the client device. The -AsPlainText flag decrypts the password if encryption is enabled (requires IT_Admins group membership).
  • Alternatively, open Active Directory Users and Computers (ADUC), enable Advanced Features, and check the “LAPS” tab on the computer object.
  1. Test Local Login:
  • Use the retrieved password to log into the device locally as the specified admin account (e.g., “LocalAdmin”).

Step 5: Monitor and Maintain

  • Regularly check Event Viewer logs on clients for LAPS-related events.
  • Use PowerShell to audit password updates:
  Find-LapsADExtendedRights -Identity "OU=Workstations,DC=yourdomain,DC=com"
  • Ensure the IT_Admins group is secure (e.g., use strong passwords, enable MFA).

Troubleshooting Common LAPS Issues

Here are some frequent issues with LAPS and how to resolve them:

Issue 1: Password Not Updating in AD

  • Symptoms: The msLAPS-EncryptedPassword attribute isn’t populated, or Event Viewer shows errors (e.g., event 10002).
  • Possible Causes:
  • The computer lacks permission to update its attributes.
  • The GPO isn’t applied correctly.
  • Solution:
  • Verify permissions with:
    powershell Find-LapsADExtendedRights -Identity "OU=Workstations,DC=yourdomain,DC=com"
    If missing, re-run Set-LapsADComputerSelfPermission.
  • Check GPO application on the client:
    powershell gpresult /r
    Ensure “LAPS Policy” is listed under “Applied Group Policy Objects.”
  • Force LAPS to process:
    powershell Invoke-LapsPolicyProcessing

Issue 2: Cannot Retrieve Password

  • Symptoms: Get-LapsADPassword returns no password, or the LAPS tab in ADUC is empty.
  • Possible Causes:
  • The user lacks read permissions.
  • The password hasn’t been generated yet.
  • Solution:
  • Verify read permissions:
    powershell Get-LapsADReadPasswordPermission -Identity "OU=Workstations,DC=yourdomain,DC=com"
    If missing, re-run Set-LapsADReadPasswordPermission.
  • If using encryption, ensure decryption permissions are set:
    powershell Get-LapsADEncryptedPasswordPermission -Identity "OU=Workstations,DC=yourdomain,DC=com"
  • Check the password expiration timestamp (msLAPS-PasswordExpirationTime) to confirm it’s been updated.

Issue 3: GPO Settings Not Applying

  • Symptoms: Client devices don’t generate new passwords despite the GPO being linked.
  • Possible Causes:
  • The GPO is linked to the wrong OU, or the OU has inheritance blocked.
  • The client OS doesn’t support Windows LAPS (e.g., pre-20H2 Windows 10).
  • Solution:
  • Verify the GPO link and inheritance in Group Policy Management Console.
  • Check the client OS version:
    powershell Get-ComputerInfo | Select-Object WindowsProductName, OsVersion
    Update the OS if needed.
  • Ensure the LAPS policy is enabled and settings are configured correctly.

Issue 4: Password Encryption Fails

  • Symptoms: Passwords are stored in clear text despite enabling ADPasswordEncryptionEnabled.
  • Possible Causes:
  • The domain functional level is below 2016.
  • Decryption permissions are misconfigured.
  • Solution:
  • Check the DFL:
    powershell Get-ADDomain | Select-Object ForestMode
    Upgrade to 2016 or higher if needed.
  • Re-run Set-LapsADEncryptedPasswordPermission to ensure the IT_Admins group has decryption rights.

Issue 5: Legacy LAPS Conflict

  • Symptoms: Devices still use legacy LAPS attributes (ms-Mcs-AdmPwd) instead of Windows LAPS attributes.
  • Solution:
  • Uninstall the legacy LAPS client from devices:
    powershell Uninstall-Program -ProgramName "Local Administrator Password Solution"
  • Update the GPO to use Windows LAPS settings.
  • Create a new local admin account for Windows LAPS to manage, as both versions can’t manage the same account simultaneously.

Additional Tips

  • Start Small: Test LAPS on a small OU with a few devices before rolling it out domain-wide.
  • Backup AD: Before schema updates, back up your AD environment using tools like ntdsutil or a third-party solution.
  • Secure IT_Admins Group: Limit membership and enable MFA to prevent unauthorized access to passwords.
  • Monitor Logs: Regularly check Event Viewer for LAPS events to catch issues early.

Critical Perspective

While LAPS is effective, it’s not without flaws. The reliance on AD permissions means a single misconfiguration can expose passwords to unauthorized users. Encryption in Windows LAPS is a step forward, but requiring a 2016 DFL excludes older environments, which might force organizations to stick with legacy LAPS’s clear-text storage—a known risk. Additionally, LAPS doesn’t address other attack vectors (e.g., pass-the-hash attacks), so it should be part of a broader security strategy, including tools like Microsoft Defender for Endpoint.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top