LAPS "Not Authorized to Administer"

Shrout1

7/19/24, 6:03 PM

Problem Description:

When I open up dsa.msc, navigate to my LAPS controlled OU, right click on a target system, goto Properties>LAPS>Expire Now and click "Apply" it displays the message You may not be authorized to administer LAPS related state on this computer

Info:

The LAPS administrative template has been installed and configured per this Microsoft Tech Community Post
- A GPO has been pushed to the LAPS OUs that contains the configured template
The LAPS Management Tools have been installed on the LAPS server
The LAPS AdmPwdGPO extension has been installed on the client system I am testing
- A GPO for the installation of the MSI will be developed once I see this working.
The Active Directory schema has been extended and contains both the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.
- This was done prior to the start of my work on this network
The PowerShell AdmPwd.PS module has been used to:
- Allow local systems to update their LAPS attributes with Set-AdmPwdComputerSelfPermission pointed at the intended OUs
- Ensure that Domain Admins have rights with Set-AdmPwdReadPasswordPermission and then verified with Find-AdmPwdExtendedRights
- The schema contains the plaintext LAPS password and expiration. These can be viewed by a domain administrator, as is the intended design of this particular network.
There are no relevant event logs that I can find in the Administrative Events portion of event viewer which occur at the same time as the error message.

Additional Notes:

According to other staff on-site this network was migrated from Server 2016 to Server 2019 within the past 2 years. LAPS was apparently configured (and working??) when the network was running server 2016. Could a Server 2016 to 2019 migration cause a problem with LAPS?

Also, while the schema was extended and the GPO was installed I did not see the LAPS UI tools nor the client software installed on any systems on the network.

Addt'l Questions:

Is there someplace I can look that will provide me with additional details about this error? Are there any domain permissions issues that would prevent me from sending an "Expire" command to the target system? I assume that the LAPS client and the LAPS server have a means of working out the reset for the local system account.

100

0 + 2

domain

user-management

local

windows-server-2019

Greg Askew

7/19/24, 9:52 PM

What group(s) have been granted permission to modify the `ms-Mcs-AdmPwdExpirationTime` attribute, and is the user account you are using a member of the group?

Shrout1

7/20/24, 5:08 AM

@Greg Askew `ExtendedRightHolders` include Domain Admins, which I can verify with the command `Find-AdmPwdExtendedRights -Identity "TargetOU"`. The account that I am using is a member of the Domain Admins group.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: LAPS "Not Authorized to Administer"

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.