Link to home
Start Free TrialLog in
Avatar of jasonleethompson
jasonleethompson

asked on

LAPS Local Administrator Password Solution fails to update password

LAPS Local Administrator Password Solution will not reset passwords.
Windows 10 x64 2016 Server Domain and Forest functional level is 2016.
Avatar of Tony J
Tony J
Flag of United Kingdom of Great Britain and Northern Ireland image

Not much to go on there.

Checked the permissions for a starter?

What have you tried? Has it ever worked? Any errors generated?
Avatar of jasonleethompson
jasonleethompson

ASKER

I have watched videos, read many articles all to become redundant. All the little PS1 scripts.. e.t.c.

I followed the procedures step by step. Line item by line item.
I built and linked the GPO.
Created the lapadmin account. Assigned delegation.......
It allows me to Set the New expiration date and that's it.
Anybody?
CMD:
GPResult /H C:\Temp\GPResults.HTML

Open in new window


Does the policy look to be applied properly?
RSOP looks good. LAPS GPO is clean and is winning.
On the destination system where the password needs to be updated are there any bangs in the logs (exclamation marks) especially the security logs?
PS C:\Windows\system32> Get-ADComputer  <myComputer> -Properties msMcsAdmPwd
At line:1 char:17
+ Get-ADComputer  <myComputer> -Properties msMcsAdmPwd
+                 ~
The '<' operator is reserved for future use.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : RedirectionNotSupported



EVENT Security log=  source admpwd event id 7 0x80070032
Is the "<" character in the password that is trying to be pushed out?
LAPS should generate a random password for push to domain local machines. So, I would have to say no.

ERRORS:Audit 4673,

Process:
      Process ID:      0x6a44
      Process Name:      C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe

Service Request Information:
      Privileges:            SeTcbPrivilege

**BREAK

APPLICATION Error 4098:

Group Policy Object did not apply because it failed with error code '0x8007055b Cannot perform this operation on built-in accounts.' This error was suppressed.
When you followed the guide, did you follow the sections on permissions, including the machine rights secion to the letter?

Do you have any policies in place that remove the local admin accounts? LAPS defaults to the well-known SID, so renaming the account shouldn't stop it working.

Can you build a test OU, blocking all inheritance and drop a newly built machine into it then target that OU with LAPS? Does that work?

Per my first response, this looks more and more like it's a permissions issue.
Hey Tony, Lets see; I have been to several different sites and watched a few videos on the subject.
I do have the local admin account renamed and the gpo setting is in place for that. (RID)
I will set up the blocked OU soon and test.
You are correct it is certainly a permissions issue. I have domain admin rights w/ my admin account. The permission for the System account (NT Auth) are in place.
Also, looking at AD I have created a LAPS OU and group, if I add the "domain computers" group it will change the password on my servers. I do not want to do that, so is there a way that I can just apply LAPS to just workstations and laptops?

I am certain that the permissions issues are on the LAPS OU/group (SELF account)
ASKER CERTIFIED SOLUTION
Avatar of Tony J
Tony J
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you Tony for sticking with me thru getting LAPS up and going. Everything is working well. The resolution was adding the SELF account with Modify permission to the LAPS OU.
Brilliant - glad you got it working!

You're more than welcome. It is awful when help evaporates so I always try (not always successfully, it has to be said!) to stick with an issue :)