Forum Discussion

badog1's avatar
badog1
Copper Contributor
Jun 02, 2025

Implementing LAPS

Translated with google

Good morning, in the test environment I am trying to activate the LAPS features.
The activation seems to have been successful.
From the computer that acts as DC in AD it shows me the DSRM user password.
While from the computer account of the test PC for LAPS no account or password is displayed.
Obviously I created a GPO for the application of the LAPS parameters
I have already restarted the PC several times and performed a GPupdate /force

What can I check to have LAPS active on the client too?

This is the data of the test network
PC: W11 Pro 10.0.26100 build 26100
Server: W2025 srv Datacenter 10.0.26100 build 26100
Domain functional level 2025
Forest functional level 2025

 

-----------------------------------------------------------------------------------------------------------------

Buongiorno,in ambiente di test stò provando ad attivare le funzionalità LAPS.
L'attivazione sembra essere andata a buon fine.
Dal computer che fà da DC in AD mi fà vedere la password dell'utenza DSRM.
Mentre dall'account computer del PC di test per LAPS non è visualizzato nessun account e nessuna password.
Ovviamente ho creato una GPO per l'applicazione dei parametri LAPS
Ho già riavviato più volte il pc ed eseguito un GPupdate /force

Cosa posso verificare per avere LAPS attivo anche sul client?


Questi i dati della rete di test
Pc: W11 Pro 10.0.26100 build 26100
Server: W2025 srv Datacenter 10.0.26100 build 26100
Livello funzionale del dominio 2025
Livello funzionale della foresta 2025

Active Directory
laps

1 Reply

  • kyazaferr's avatar
    kyazaferr
    MCT
    Oct 08, 2025

    Confirm schema extension and attributes

    On Server 2025, the new Windows LAPS schema attributes are built-in but must be enabled for the domain:
    Run this on your DC:

    Update-LapsADSchema

    Then check that the attributes exist on a computer object in AD Users and Computers:

    msLAPS-PasswordExpirationTime
    msLAPS-EncryptedPassword

    If they’re missing, the schema update didn’t apply correctly.

    erify Group Policy configuration

    In Group Policy Management Editor, under
    Computer Configuration → Administrative Templates → System → LAPS
    set these policies:

    Policy    Setting
    Configure password backup directory    Active Directory
    Enable password backup for administrator account    Enabled
    Password complexity / length / age    As required
    Name of administrator account to manage    (blank for built-in Administrator, or specify custom local admin)

    Apply the GPO to an OU containing your Windows 11 test PC, and confirm it is applied:

    gpresult /h c:\temp\gp.html

     Check that the client has the LAPS feature installed

    Windows 11 26100 already includes the new LAPS client natively, but confirm:

    Get-WindowsCapability -Name *LAPS* -Online

    If it’s “Not Present,” install it:

    Add-WindowsCapability -Name Windows.LAPS~~~~0.0.1.0 -Online

    Force a password rotation and check logs

    On the Windows 11 client:

    Reset-LapsPassword -Verbose

    Then review the event log:

    Event Viewer → Applications and Services Logs → Microsoft → Windows → LAPS → Operational

    Successful backup shows Event 10031 (“The password was successfully backed up to Active Directory”).
    Errors such as Event 10023/10025 indicate missing permissions or schema issues.

    Verify AD permissions for the computer object

    The SELF account of each computer must have permission to write its own LAPS attributes.
    Check via PowerShell on the DC:

    Set-LapsADComputerSelfPermission -Identity "OU=Computers,DC=yourdomain,DC=local"

    This ensures the computers in that OU can store their passwords.

    View the password from the DC

    Use one of the following:

    PowerShell:

    Get-LapsADPassword -Identity "TestPC$" -AsPlainText

    Active Directory Users and Computers:
    Enable Advanced Features → open the computer object → Attribute Editor → view msLAPS-Password.

    If it’s still empty, the client never wrote the value—recheck Event 10023 logs or permissions.

    🔧 Summary

    If your DC shows only the DSRM password but not the client’s local admin password, the problem is almost always one of these:

    LAPS GPO not applied to the workstation OU
    Client LAPS feature missing or inactive
    Computer lacks permission to write its password to AD

    Run the steps above in order—especially Set-LapsADComputerSelfPermission and Reset-LapsPassword—and you’ll see the password populate in Active Directory within minutes.

Resources