Troubleshooting Permissions in LAPS Active Directory tool

How does this present itself

When attempting to read the LAPS AD password with the AD LAPS Password Tool, you might receive the error "No LAPS Password Found", or the LAPS password tool may simply return without any results (the results sections are empty.)

Why this is happening

When the LAPS Tool is implemented in your environment, two new attributes are created. ms-mcs-AdmPwd (which contains the Password) and ms-mcs-AdmPwdExpirationTime (which contains the password expiration time).

The AD LAPS Password Tool requires the ability to read the two attributes to read the password and expiration time, and will need to be able to change the value in ms-mcs-AdmPwdExpirationTime to force a password reset.

How to Resolve the Issue

There are two commands that you should run from an administrative powershell prompt. The powershell commands are added when you install the LAPS software (full admin install). To start the session you should add the LAPS modules by typing Import-Module AdmPwd.ps

  • Set-AdmPwdReadPasswordPermission -OrgUnit ",OU=Units,DC=ad,DC=uoregon,DC=edu" -AllowedPrincipals
    This will update the permissions of all computer objects in the target OU to allow entered AD user/Group to read the LAPS Attributes of Computer Objects

  • Set-AdmPwdResetPasswordPermission -OrgUnit ",OU=Units,DC=ad,DC=uoregon,DC=edu" -AllowedPrincipals This will update the permissions of all computer objects in the target OU to allow the entered AD User/Group to reset the LAPS Attributes of computer objects.