I am back with similar questions being asked when they install the LAPS.
“Question: Why I still have blank password and expiration set time?”
- First of all, Computer has to be joined domain. if the computer is not joined domain, you won’t get those two values on that attributes.
- Make sure that you don’t manually add the computer account at the active directory. some they claimed that they already join to the domain, but it actually create the computer account manually with the same computer name in it.
- LAPS was installed differently with other deployment system.
- LAPS was installed manually. some of computers are joined domain, but they were installed manually and unable to connect or communicate with active directory.
- I recommend the LAPS installation was deploying the group policy.
- The computers are located on different organizational unit (OU). If you have large organization, you might have many computers and other inventory that sometime hard to manage and cascade. So you may not have the LAPS install or the attributes’ value. For example, your computers was at HQ OU in Florida, you have multiple ‘HQ’ OU in New York OU and you also have HQ OU in Florida.LAPS Group policy was configured at HQ OU in New York. This lead you don’t have the password blank
- Local Administrator account are misconfigured. By Default, the LAPS will look into built-in account. if you configured in group policy to use specific account, make sure that you create the user account in the client computer.
- Make sure you have supported OS platform. Please check the link here https://technet.microsoft.com/en-us/mt227395.aspx.
- Please make sure that you have permission to view and proper delegation of users to view the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. Mostly, domain user would not be able to see this because this confidential attribute only managed by AD administrators.
Here is the example screenshot for the software deployment via group policy.