Microsoft
MicrosoftScottLangley86 - please run the Get-LapsDiagnostics cmdlet from an elevated PowerShell window, PM me the resultant .zip file, and I will take a look.
Followup EDIT comments:
>>But we receive this log event that is not explained anywhere I can find.
>>The net result seems to be that the decryptor group is not assigned via policy and the permissions had to be assigned with Powershell.
>>Also, no other events in logs are being generated. Only process start, process disabled, process succeeded. Any ideas?
I just realized that you are probably looking in the Windows LAPS event log on the domain controller? If so, realize that the Windows LAPS event log on the DC is only capturing events related to the DC acting itself as a Windows LAPS client (ie, for the purposes of managing the DSRM account password if you enabled that), and will never have any events related to domain-joined client LAPS activity. The clients encrypt the new passwords before they leave the machine, and from there it's just a straightforward LDAP modify to persist the encrypted result in the directory. And if you did not explicitly set the password-decryptors setting on the client, we will default to using Domain Admins.