Forum Discussion

badog1's avatar
badog1
Copper Contributor
Jun 02, 2025

Implementing LAPS

Translated with google Good morning, in the test environment I am trying to activate the LAPS features. The activation seems to have been successful. From the computer that acts as DC in AD it sho...
Active Directory
laps
kyazaferr's avatar
kyazaferr
MCT
Oct 08, 2025

Confirm schema extension and attributes

On Server 2025, the new Windows LAPS schema attributes are built-in but must be enabled for the domain:
Run this on your DC:

Update-LapsADSchema

Then check that the attributes exist on a computer object in AD Users and Computers:

msLAPS-PasswordExpirationTime
msLAPS-EncryptedPassword

If they’re missing, the schema update didn’t apply correctly.

erify Group Policy configuration

In Group Policy Management Editor, under
Computer Configuration → Administrative Templates → System → LAPS
set these policies:

Policy    Setting
Configure password backup directory    Active Directory
Enable password backup for administrator account    Enabled
Password complexity / length / age    As required
Name of administrator account to manage    (blank for built-in Administrator, or specify custom local admin)

Apply the GPO to an OU containing your Windows 11 test PC, and confirm it is applied:

gpresult /h c:\temp\gp.html

 Check that the client has the LAPS feature installed

Windows 11 26100 already includes the new LAPS client natively, but confirm:

Get-WindowsCapability -Name *LAPS* -Online

If it’s “Not Present,” install it:

Add-WindowsCapability -Name Windows.LAPS~~~~0.0.1.0 -Online

Force a password rotation and check logs

On the Windows 11 client:

Reset-LapsPassword -Verbose

Then review the event log:

Event Viewer → Applications and Services Logs → Microsoft → Windows → LAPS → Operational

Successful backup shows Event 10031 (“The password was successfully backed up to Active Directory”).
Errors such as Event 10023/10025 indicate missing permissions or schema issues.

Verify AD permissions for the computer object

The SELF account of each computer must have permission to write its own LAPS attributes.
Check via PowerShell on the DC:

Set-LapsADComputerSelfPermission -Identity "OU=Computers,DC=yourdomain,DC=local"

This ensures the computers in that OU can store their passwords.

View the password from the DC

Use one of the following:

PowerShell:

Get-LapsADPassword -Identity "TestPC$" -AsPlainText

Active Directory Users and Computers:
Enable Advanced Features → open the computer object → Attribute Editor → view msLAPS-Password.

If it’s still empty, the client never wrote the value—recheck Event 10023 logs or permissions.

🔧 Summary

If your DC shows only the DSRM password but not the client’s local admin password, the problem is almost always one of these:

LAPS GPO not applied to the workstation OU
Client LAPS feature missing or inactive
Computer lacks permission to write its password to AD

Run the steps above in order—especially Set-LapsADComputerSelfPermission and Reset-LapsPassword—and you’ll see the password populate in Active Directory within minutes.

Resources