Fix Windows LAPS Decrypt Error: Quick Password Solution
Image Source: Shutterstock.com
Security
Jun 1, 2024 12:14 PM

Fix Windows LAPS Decrypt Error: Quick Password Solution

by HubSite 365 about ALI TAJRAN

AdministratorSecurityM365 AdminLearning Selection

Solve LAPS Decrypt Error: Steps to Enable Admin Password Access

Key insights

  • Understand the causes of the LAPS password decryption issue and how user permissions impact visibility of encrypted passwords.
  • Create a security group in Active Directory to manage permissions related to LAPS password decryption.
  • Utilize PowerShell commands to configure LAPS read and reset permissions effectively.
  • Configure the Group Policy settings to add security group to the Authorized password decryptors policy.
  • Verify the configuration by signing in again and checking that the LAPS tab shows the previously encrypted password information.

The blog post delves into a pertinent issue faced by administrators using Windows Local Administrator Password Solution (LAPS) — specifically, an error related to decrypting the password of a LAPS account. It highlights a common scenario where the LAPS account's admin name and password fields appear empty for some users. The cause is linked to insufficient permissions to decrypt the LAPS password.

To resolve this, the post walks through a step-byRecognizing the importance of security permissions, it guides the reader on creating a dedicated security group with specific AD permissions, adjusting Group Policy settings, and verifying the setup to ensure functionality. This comprehensive guide is crucial for IT administrators who need to manage and secure admin passwords in a domain environment.

Windows LAPS Overview

Windows LAPS (Local Administrator Password Solution) is a security tool developed by Microsoft to automate the management of local administrator passwords on domain-joined Windows systems. LAPS ensures each administered machine has a unique administrator password, and that these passwords are securely stored and centrally managed. 

After setting up Microsoft's Local Administrator Password Solution (LAPS), some administrators noticed inconsistencies: while some could view the LAPS local admin account name and password, others found these fields empty. This issue stems from a lack of decrypt permissions, and resolving it involves a series of permissions and policy settings.

The process begins with the identification and analysis of the error by manipulating Active Directory settings and properties. Administrators faced with this error will notice a warning indicating that the account's password is encrypted but lacks the necessary permissions to decrypt. This typically affects users who are not Domain Admins, such as those in help desk roles.

  • First, establish a security group in Active Directory to encompass users needing access and set the necessary read and reset permissions on LAPS passwords.
  • Next, acquire the security group SID using PowerShell.
  • Then, utilize the obtained SID to configure LAPS read and reset password permissions using specific PowerShell commands.
  • Following this, amend the Group Policy settings to include the security group as authorized password decryptors.
  • Finally, verify the configurations by accessing the computer properties via Active Directory and ensure the LAPS tab displays the correct information post adjustment.

The outlined steps help secure and streamline the decryption process, ensuring that only authorized personnel have access to sensitive account information. This setup not only reinforces security protocols within an organization but also adheres to best practices in managing administrative passwords and encryption settings.

 

Read the full article How to fix Windows LAPS account password decrypt permission error

Windows - Fix Windows LAPS Decryption Error: Step-by-Step Guide


Understanding Microsoft LAPS Security and Management

Microsoft's Local Administrator Password Solution (LAPS) offers a robust mechanism for managing the local administrator passwords of domain-joined computers, thereby enhancing security by allowing different, random passwords for local administrators across a network. This system addresses a common issue in IT security where identical administrator passwords are used across a network, making it vulnerable to lateral movement attacks. LAPS automatically manages password storage and changes, ensuring that passwords are complex and periodically refreshed. Deploying LAPS involves configuring active directory settings and permissions appropriately. By restricting access to password decryption, organizations can ensure that sensitive information remains secure, accessible only to designated users. Overall, LAPS is a critical component in fortifying an organization's cybersecurity framework, providing both security enhancements and simplified management of account credentials.

 

 

People also ask

## Questions and Answers about Microsoft 365

Why is my LAPS password not working?

Answer: To resolve this, examine the existing password policies on the machine by utilizing the net accounts command in the command prompt. Make sure these policies correspond with the LAPS enforced configuration, specifically regarding password complexity, length, and age requirements.

How do I delegate permissions to reset user passwords in Active Software?

Answer: To delegate these permissions, right-click on the desired object in Active Directory and choose the 'Delegate Control' option.

How to access LAPS password?

Answer: To access the LAPS password, visit the Azure portal and proceed to Devices > All Devices > Local administrator password recovery (Preview). Select the device in question and click on 'Show local administrator password'.

Is LAPS password encrypted?

Answer: Yes, encryption for the LAPS password utilizes the Cryptography API: Next Generation Data Protection API (CNG DPAPI). This supports various encryption modes, although in the case of Windows LAPS, it specifically encrypts passwords against a single Windows Server Active Directory security principal (either a user or a group).

 

Keywords

Windows LAPS password error, LAPS decrypt permission fix, troubleshoot Windows LAPS issue, resolve LAPS password problem, Windows LAPS error solution, LAPS account recovery, fix LAPS decryption error, Windows LAPS troubleshooting