Password request not finding local admin password #234
-
|
I have setup a dedicated server to run AMS. It is joined to the domain and as far as I can tell has all the appropriate permissions after following the install guide. I only have new LAPS deployed in AD, not legacy and no agents. When I search for a computer it says "The requested computer does not have a local admin password". I am able to see the LAPS password if I go to AD and view the LAPS tab on the computer object. Not sure if this matters, but I have disabled the default local administrator account via a GPO and am using a different local admin user which is also set via GPO. Any ideas on what I may have missed? Edit: |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
@newguy127 AMS reads both new laps and old laps passwords from the directory, it doesn't matter what operating system put them there. If you are setting the message that the requested computer does not have a local admin password, that's because AMS does not have permission to read the attributes (or in the case of windows laps may not have permission to decrypt them). Check the access-manager-web-app.log file to see if its a decryption issue or not. Unfortunately, querying an attribute you don't have permission to read, just appears to the app as if the attribute is blank. But as you have visually confirmed that the passwords do exist, the only possible answer is a permissions issue. |
Beta Was this translation helpful? Give feedback.
-
|
I believe you are correct. Before I posted this I had given the service account permission to decrypt passwords but I don't think I waited long enough for the changes to take effect as I did not realize it would take about 30 min or so it seems. One note to anyone who may read this later, create a security group for decryption in the GPO and add the accounts you need to that group. You can only have one user/group in that field. I had initially added my service account only and my domain admin account lost access to decrypt passwords. Thank you for your help, Lithnet is displaying passwords for Windows 10 clients now. |
Beta Was this translation helpful? Give feedback.
@newguy127 AMS reads both new laps and old laps passwords from the directory, it doesn't matter what operating system put them there.
If you are setting the message that the requested computer does not have a local admin password, that's because AMS does not have permission to read the attributes (or in the case of windows laps may not have permission to decrypt them). Check the access-manager-web-app.log file to see if its a decryption issue or not.
Unfortunately, querying an attribute you don't have permission to read, just appears to the app as if the attribute is blank. But as you have visually confirmed that the passwords do exist, the only possible answer is a permissions issue.