Re: LAPS configuration - Lansweeper Community

tgrignon1 · ‎07-12-2023

We just updated Lansweeper to 10.6 and gained LAPS credentials. The service is already configured and used in our domain.

When I try the credentials from Lansweeper.TestTools.App.exe, I get an error. I used different Domain Admins users.

["Successfully connected to mcmsrvdc06.xxxx using powershell.","Found LAPS GPO on mcmsrvdc06.xxxx.","No LAPS credentials found for PCMLAP022.xxxx."]

I tried other domain controller, by IP, hostname of the client, FQDN... nothing works.

I can see the attributes in the object

I don't have any error nowhere... is there something I can do?

Obi_1_Cinobi · ‎07-12-2023

Hello there!

Can you try the following on your Domain Controller:

Install the LAPS client tools from Microsoft (https://www.microsoft.com/en-us/download/details.aspx?id=46899)
Install the PowerShell module:
- PS C:\WINDOWS\system32> Import-module AdmPwd.PS
Retrieve the password (run as the account in Lansweeper) :
- PS C:\WINDOWS\system32> Get-AdmPwdPassword -computername computername_here

tgrignon1 · ‎07-12-2023

Works.

But it takes me on other way. I thinking : if Lansweeper use Remote Powershell, should be the module imported into Domain Controller? Because all test was into a jump box with different pre-installed modules.

I make the verification and the module was not installed into the remote DC, I installed it and retried Lansweeper. Test and WORKS! This information should be included into the KB of Lansweeper.

But I get new errors, credentials not working :

Obi_1_Cinobi · ‎07-12-2023

Hello there!

Could you perhaps reach out to support, as we might need to turn on debug mode to see what is causing the new error: https://www.lansweeper.com/contact-support/

tgrignon1 · ‎07-12-2023

I Found my problem ! And it needs to be added to the KB.

1. Install-Module AdmPwd.PS should be launch on the remote Domain Controller

2. You need to disable Remote UAC on the client side

Disabling Remote UAC on Individual Computers:

On the target computer(s), open Regedit.exe and navigate to:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  - Create a DWORD value called LocalAccountTokenFilterPolicy and assign it a value of 1.
A reboot is recommended but not required, however, restarting the Server service is necessary.

Disabling Remote UAC via Group Policy:

Open the Group Policy Management Console.
Under Group Policy Objects, create a new policy and name it accordingly.
Open the new GPO and navigate to:
- Computer Configuration > Preferences > Windows Settings > Right Click Registry > New > Registry Item.
  - Configure the following options in the New Registry Properties Window:
    - Action: Create
    - Hive: HKEY_LOCAL_MACHINE
    - Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    - Value Name: LocalAccountTokenFilterPolicy
    - Value Type : REG_DWORD
    - Value Data : 1
Link the new GPO to the any computer OUs that you wish to apply the new settings to.

Obi_1_Cinobi · ‎07-12-2023

Hello there!

Thank you for sharing. We will provide this information to our KB team so they can review this!

dklein42 · ‎08-11-2023

Hi,

I can't believe that this should be the solution. LAPS is an important feature to improve the security. The UAC also. From my point of view, the management of LAPS in Lansweeper make no sense, when if I have to disable the UAC.
BR

LAPS configuration

Disabling Remote UAC on Individual Computers:

Disabling Remote UAC via Group Policy:

General Discussions

New to Lansweeper?

Try Lansweeper For Free