Issue description   

The LAPS password column in the Workstation Computers report of ADManager Plus is empty.

Possible causes  

• Incorrect LAPS configuration: LAPS might not be correctly configured or deployed.

• Permission issues: The user account used by ADManager Plus may lack Read ms-Mcs-AdmPwd permissions to read LAPS passwords.
  

Prerequisites  

• Ensure you have admin access for ADManager Plus and server.

Resolution

Step 1: Verify permissions in ADManager Plus (if the issue affects a technician but not the built-in admin)

1. Log in to ADManager Plus as an administrator.

2. Navigate to the Delegation tab.

3. Click the Edit icon in the Actions column for the technician experiencing the LAPS issue.

4. Click Show Advanced and ensure that the Display LAPS information in reports option is checked. If it is not, check it and save the changes.

5. Have the technician log out and log back in for the changes to take effect.

Step 2: Verify the users' permissions for reading LAPS passwords

1. Open Active Directory Users and Computers (ADUC).

2. Navigate to the organizational unit (OU) where LAPS-managed computers are stored.

3. Right-click the OU and select Properties.

4. Go to the Security tab and click Advanced.

5. Locate the ADManager Plus service account and confirm it has the Read ms-Mcs-AdmPwd permission.

6. If the permission is not granted, check-in Read ms-Mcs-AdmPwd to grant permission.

7. Click Apply and restart ADManager Plus to ensure the new permissions take effect.

Step 3: Verify LAPS configuration  

1. Use PowerShell to verify that the LAPS password can be retrieved.

2. Run Get-AdmPwdPassword -ComputerName <ComputerName> command in PowerShell. Replace <ComputerName> with the name of a workstation.

Tips   

• Regularly audit and restrict access to LAPS-managed passwords to ensure only authorized personnel can retrieve them.

Related topics and articles   

• Computer reports in ADManager Plus

How to reach support