How to fix Windows LAPS account password decrypt permission error

After implementing Windows LAPS, some administrators can see the LAPS local admin account name and password, while others see both fields empty. Why is this happening, and what is the solution to it? In this article, you will learn how to fix Windows LAPS account password decrypt permission error.

Table of contents

You do not have permission to decrypt account password

Let’s look at the error that appears.

Start Active Directory Users and Computers and go to the computer properties for which you want to retrieve the LAPS password. Click on the LAPS tab.

LAPS tab in Active Directory Users and Computers properties

The warning appears:

The account’s password is encrypted but you do not have permissions to decrypt it.

The account's password is encrypted but you do not have permission to decrypt it

The LAPS local admin account name and LAPS local admin account password fields are both empty. However, we want to see both fields populated.

LAPS local admin account empty values

Why is this happening, and how to fix the warning message The account’s password is encrypted but you do not have permissions to decrypt it?

Solution for Windows LAPS account password decrypt permission error

If you Configure Windows LAPS and sign in with an account with Domain Admin permissions, you will not see this warning.

The warning appears because the user account signed in to retrieve the LAPS local admin account name and password is not a Domain Admin. For example, the users from the help desk team do not have Domain Admin permissions assigned.

To fix this warning, we have to create a security group with all its members. Next, set LAPS read and reset permissions for that security group. As last, add the group to the Windows LAPS Authorized password decryptors policy.

Step 1. Create a security group

Create a security group in Active Directory Users and Computers.

Create a Windows LAPS security group

Add the members to the group. Also, add the domain admins, as this group will be the only group able to read and reset the LAPS password.

Add members to Windows LAPS security group

Step 2. Get Security Group SID

Find the security group SID with PowerShell.

Get-ADGroup "Windows_LAPS"

The output appears with the group SID.

DistinguishedName : CN=Windows_LAPS,OU=AD,OU=Groups,OU=Company,DC=exoip,DC=local
GroupCategory     : Security
GroupScope        : Universal
Name              : Windows_LAPS
ObjectClass       : group
ObjectGUID        : 05c3f8a0-4f46-4441-ab41-796538b45a82
SamAccountName    : Windows_LAPS
SID               : S-1-5-21-1083891243-2317051905-4228426097-3278

Copy the security group SID value, you will need to use it in the next steps.

Step 3. Set LAPS permissions

Replace the security group SID in both the commands and run it in PowerShell.

The Set-LapsADReadPasswordPermission cmdlet will grant the group permission to query Windows Local Administrator Password Solution (LAPS) passwords.

Set-LapsADReadPasswordPermission -Identity "OU=Company,DC=exoip,DC=local" -AllowedPrincipals @("S-1-5-21-1083891243-2317051905-4228426097-3278")

The Set-LapsADResetPasswordPermission cmdlet will grant the group permission to set the Windows Local Administrator Password Solution (LAPS) password expiration time.

Set-LapsADResetPasswordPermission -Identity "OU=Company,DC=exoip,DC=local" -AllowedPrincipals @("S-1-5-21-1083891243-2317051905-4228426097-3278")

Step 4. Configure authorized password decryptors policy

Open Group Policy Management.

Navigate to Computer Configuration > Policies > Administrative Templates > System > LAPS.

Configure authorized password decryptors policy

Add the security group SID to the Authorized password decryptor field.

In our example, it’s:

S-1-5-21-1083891243-2317051905-4228426097-3278
Enable authorized password decryptors policy

Step 5. Verify your work

Important: Sign out and sign in again on the Management Server or the Domain Controller so the permission settings take effect.

Start Active Directory Users and Computers. Go to the computer properties and click on the LAPS tab. The error does no longer shows up, and the LAPS local admin account name and password values appear.

LAPS local admin account values available

That’s it!

Read more: Configure Microsoft Entra Password Protection for on-premises »

Conclusion

You learned how to fix the account’s password is encrypted but you do not have permission to decrypt it error. First, create a security group and add all the users that should be able to see and reset the LAPS password. After that, configure the LAPS group policy Authorized password decryptor and add the group to it. Remember to sign out and sign back in for the permissions to take effect.

Did you enjoy this article? You may also like How to Create an Active Directory Security Assessment report. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *