Windows LAPS - 10024 LAPS policy is configured as disabled

Nelson Figueroa 31 Reputation points
2024-01-04T15:48:03.5+00:00

We had a working Microsoft LAPS. However, we decided we wanted Windows LAPS so we:

](https://i.stack.imgur.com/iQYGz.png)

However, the Windows LAPS is doing nothing. The event viewer is showing successions of events 10003, 10024, and 10004. 10024 LAPS policy is configured as disabled.

[LAPS 10024

](https://i.stack.imgur.com/wzz0z.png)

Moreover, the ADUC computer properties are showing the LAPS tab but blank account name and password. [LAPS Tab

](https://i.stack.imgur.com/RRq39.png)

We rerun the configuration but we cannot seem to find what is amiss. We checked the Windows hotfix and we have the "2023-11 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5032196)".

We have Windows Server 2019 but we have "Windows 2012 R2" domain functional level.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,569 questions
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,068 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,999 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,792 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 20,791 Reputation points Microsoft Vendor
    2024-01-05T02:50:32.0166667+00:00

    Hello Nelson Figueroa,

    Thank you for posting in Q&A forum.

    1.Please check The Windows Server Active Directory schema have been updated prior to using Windows LAPS.

    2.Please check have you run command :Set-LapsADComputerSelfPermission -Identity OUname.

    3.Please check the problem occurs on one machine or all the machines in the OU.

    4.Please check if the user you are using have permission to view the password.

    User's image

    5.Please check if you can Retrieve a password from Windows Server Active Directory via command below.
    Get-LapsADPassword -Identity ComputerName -AsPlainText

    6.Please check if all the machines or if this machine has the Administrator account named "iohadmin".

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Franz Schenk 336 Reputation points
    2024-03-01T09:29:30.66+00:00

    Hello @nelson figueroa , have you been able to solve this problem? Have exactely the same issue.Franz

    0 comments
  3. Vabe 0 Reputation points
    2024-03-04T09:11:45.9233333+00:00

    Hello, I'm just joining in. Solving the same problem. Everything should be setup correctly according to "Get started with Windows LAPS and Windows Server Active Directory" article by MS. But it's not working. Event log looks same as OPs. LAPS policy is applied to the OU (and verified). "Get-LapsADPassword -Identity ComputerName -AsPlainText" command returns nothing.

    edit my solution: it's working now. There was an error Error code: 0x80070032 on the client machine (LAPS failed to update Active Directory with the new password. The current password has not been modified.) which pointed me to right direction.

    I tried to manually add permissions to write LAPS password - even when I did it via powershell before (Set-LapsADComputerSelfPermission) and it didn't help.

    Now my solutions was "Restore defaults" at Advanced security at the computer object. It immediately startet to work.

    it has probably something to do with previous version of LAPS I was testing.

    I hope this could help you guys too.

  4. Franz Schenk 336 Reputation points
    2024-03-04T15:14:47.2966667+00:00

    Have also found the problem cause: The test system was on an old patch level, from November 2022. And the new LAPS was introduced in mid 2023.

    birappl18

    After trying with another testsystem and after updating birappl18, LAPS worked as expected.

    What I still can't understand and what leads me to the wrong way is that the "Find-LapsADExtendedRights" still shows no output, despite the domain admins have the right to decrypt passwords (LAPS default configuration).

    find-laps

    0 comments
  5. Franz Schenk 336 Reputation points
    2024-03-04T15:28:24.9533333+00:00

    Was able to solve the problem: The test system was on an old patch level, November 2022. The new LAPS was introduced mid 2023.

    birappl18

    What I still can't understand and what leads me to the wrong troubleshooting way is that Find-LapsADExtendedRights still doesn't show the "Domain Admins" as a result.

    find-laps