question

JoelNentwich-8915 avatar image
0 Votes"
JoelNentwich-8915 asked JoelNentwich-8915 answered

LAPS is not saving password in the directory

I am in the process of implementing LAPS on all the workstations at my place of employment. The LAPS client is installed on all the workstations and a GPO is in place to set the LAPS password parameters. When I look at the LAPS password attribute on a computer object within the directory the attribute is blank. The workstations are logging event id 7 in the application event log. The event reads "Could not write changed password to AD. Error 0x80070032". I have verified on the computer objects running the LAPS client that the directory permission "self" has write permission to the attributes ms-MCS-AdmPwdExpirationTime and ms-MCS-AdmPwd.

All the reading I have done online state event id 7 is logged when the computer cannot write to the ms-MCS-AdmPwdExpirationTime and ms-MCS-AdmPwd attributes. As stated the permissions looking correct. Does anyone know of a way to enable more verbose logging so I can troubleshot this issue further? Or have any ideas I should try?

Thanks in advance for everyone's help,
Joel

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Was the issue happened for all the LAPS clients or just for the specific one?
If all the LAPS have the same issue, it is suggested to check the OU container for the clients. And run the command again and check the result.
Command: Set-AdmPwdComputerSelfPermission -OrgUnit <name of the OU to delegate permissions>

For troubleshooting:
Event Logging
The amount of events that are logged is configurable via the following registry REG_DWORD value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions{D76B9641-3288-4f75-942D-087DE603E3EA}}\ExtensionDebugLevel

This value is not there by default and must be added.
113113-image.png

Possible values are as follows:
Value 0 Silent mode; log errors only When no error occurs, no information is logged about CSE activity. This is a default value.
Value 1 Log Errors and warnings
Value 2 Verbose mode, log everything




image.png (64.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoelNentwich-8915 avatar image
0 Votes"
JoelNentwich-8915 answered

Thank you @FanFan-MSFT for your insight. For my original testing I manually set the "self" permissions on the computer object. As stated above the LAPS application was not able to set the local administrator password on the computer object within the directory. As per your instructions I used the PowerShell command, Set-AdmPwdComputerSelfPermission, to set the "self" permissions on the OU which contained the test computer objects. As soon as the permission was set at the OU level the LAPS application was able to save the password into the directory. Interesting as it was the same permissions I set on the computer object just one level high at the OU level and computer object inherited the permission. Not sure why the permission needed to be set at the OU level, but it is working now.

Joel

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.