How does this present itself
When attempting to read the LAPS AD password with the AD LAPS Password Tool, you might receive the error "No LAPS Password Found", or the LAPS password tool may simply return without any results (the results sections are empty.)
Why this is happening
When the LAPS Tool is implemented in your environment, two new attributes are created. ms-mcs-AdmPwd (which contains the Password) and ms-mcs-AdmPwdExpirationTime (which contains the password expiration time).
The AD LAPS Password Tool requires the ability to read the two attributes to read the password and expiration time, and will need to be able to change the value in ms-mcs-AdmPwdExpirationTime to force a password reset.
How to Resolve the Issue
There are two commands that you should run from an administrative powershell prompt. The powershell commands are added when you install the LAPS software (full admin install). To start the session you should add the LAPS modules by typing Import-Module AdmPwd.ps
Set-AdmPwdReadPasswordPermission -OrgUnit ",OU=Units,DC=ad,DC=uoregon,DC=edu" -AllowedPrincipals
This will update the permissions of all computer objects in the target OU to allow entered AD user/Group to read the LAPS Attributes of Computer ObjectsSet-AdmPwdResetPasswordPermission -OrgUnit ",OU=Units,DC=ad,DC=uoregon,DC=edu" -AllowedPrincipals This will update the permissions of all computer objects in the target OU to allow the entered AD User/Group to reset the LAPS Attributes of computer objects.