Microsoft
MicrosoftRobinfr ,
Would you please re-run the Get-LapsADPassword cmdlet with the -Verbose parameter and PM me with the output? I will take a look.
I don't speak French but thankfully Bing does:
"Le mot de passe du compte est chiffre, mais vous n'etes pas autorise a le dechiffrer."
"The account password is encrypted, but you are not allowed to decrypt it."
There are two levels of authorization permissions with the new Windows LAPS password encryption feature. The first level is the Active Directory read ACLs, which basically work in a similar fashion as legacy LAPS' ACLs did. With encrypted passwords though, the client must ALSO be authorized to decrypt the password. These two levels of permissions are discussed in the Windows LAPS docs here.
The error popup that you showed is what ADUC will display when you don't have decryption permissions. My next advice would be to run Get-LapsADPassword on that computer account, and look to see what the "Authorized Decryptor" field shows, eg:
Get-LapsADPassword -Identity lapsDC.laps.com -AsPlainText
ComputerName : LAPSDC
DistinguishedName : CN=LAPSDC,OU=Domain Controllers,DC=laps,DC=com
Account : Administrator
Password : 118y$rsw.3y58yG]on$Hii
PasswordUpdateTime : 4/9/2023 10:17:51 AM
ExpirationTimestamp : 4/19/2023 10:17:51 AM
Source : EncryptedDSRMPassword
DecryptionStatus : Success
AuthorizedDecryptor : LAPS\Domain Admins
Once you know who the AuthorizedDecryptor is, check if the client who got the error is in that group; the answer should be no which explains the error.