🟡 Medium   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2019

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Local Administrator Password Solution (LAPS) fails to rotate the local admin password on Windows Server 2019 members, leaving stale or default credentials in use.

Environment & Reproduction

Common after agent install on hosts that lack proper AD schema rights or GPO targeting.

Get-AdmPwdPassword -ComputerName SRV01
Get-WinEvent -LogName 'Microsoft-Windows-LAPS/Operational' -MaxEvents 20

Root Cause Analysis

Causes include missing AD permissions on computer objects, agent not installed, or GPO not applied to the right OU.

Quick Triage

Check LAPS client and AD attribute health.

Get-WindowsFeature -Name AdmPwd*
Get-AdmPwdPassword -ComputerName SRV01
Get-ADComputer SRV01 -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime

Step-by-Step Diagnosis

Validate GPO scope and SELF permissions on computer objects.

gpresult /h C:Tempgp.html /f
Find-AdmPwdExtendedRights -Identity 'OU=Servers,DC=corp,DC=local'
Get-ACL 'AD:CN=SRV01,OU=Servers,DC=corp,DC=local' | Format-List

Solution – Primary Fix

Reinstall agent, grant SELF write rights, and force password reset.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-AdmPwdComputerSelfPermission -Identity 'OU=Servers,DC=corp,DC=local'
Reset-AdmPwdPassword -ComputerName SRV01
gpupdate /force

Solution – Alternative Approaches

Use Windows LAPS (Microsoft LAPS) modern stack if legacy LAPS agent is end-of-life.

Update-LapsADSchema
Set-LapsADComputerSelfPermission -Identity 'OU=Servers,DC=corp,DC=local'
Invoke-LapsPolicyProcessing

Verification & Acceptance Criteria

Password attribute updates and the rotation timestamp moves forward.

Get-ADComputer SRV01 -Properties ms-Mcs-AdmPwdExpirationTime
Get-AdmPwdPassword -ComputerName SRV01

Rollback Plan

Reapply prior agent or schema settings if rollout disrupts other tooling.

Uninstall-WindowsFeature AdmPwd.PS
Reset-AdmPwdPassword -ComputerName SRV01

Prevention & Hardening

Standardise on Windows LAPS, audit OUs, and alert on stale expiration timestamps.

Get-ADComputer -Filter * -SearchBase 'OU=Servers,DC=corp,DC=local' -Properties ms-Mcs-AdmPwdExpirationTime | Where {$_.'ms-Mcs-AdmPwdExpirationTime' -lt (Get-Date).AddDays(-30)}

Linked with GPO denied issues, password policy enforcement, and JIT admin workflows.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Windows LAPS migration and Microsoft LAPS legacy product guidance.

Illustrative mockup for windows-server-2019 — terminal_or_powershell
Diagnostics commands in PowerShell — Illustrative mockup — Progressive Robot
Illustrative mockup for windows-server-2019 — event_or_log_viewer
Event log verification for Windows Server 2019 — Illustrative mockup — Progressive Robot

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.