How does this present itself
When attempting to read the LAPS AD password with the AD LAPS Password Tool, you might receive the error "No LAPS Password Found", or the LAPS password tool may simply return without any results (the results sections are empty.)
When the LAPS Tool is implemented in your environment, two new attributes are created. ms-mcs-AdmPwd (which contains the Password) and ms-mcs-AdmPwdExpirationTime (which contains the password expiration time).
The AD LAPS Password Tool requires the ability to read the two attributes to read the password and expiration time, and will need to be able to change the value in ms-mcs-AdmPwdExpirationTime to force a password reset.
There are two commands that you should run from an administrative powershell prompt. The powershell commands are added when you install the LAPS software (full admin install). To start the session you should add the LAPS modules by typing Import-Module AdmPwd.ps
Set-AdmPwdReadPasswordPermission -OrgUnit ",OU=Units,DC=ad,DC=uoregon,DC=edu" -AllowedPrincipals
This will update the permissions of all computer objects in the target OU to allow entered AD user/Group to read the LAPS Attributes of Computer Objects
Set-AdmPwdResetPasswordPermission -OrgUnit ",OU=Units,DC=ad,DC=uoregon,DC=edu" -AllowedPrincipals This will update the permissions of all computer objects in the target OU to allow the entered AD User/Group to reset the LAPS Attributes of computer objects.