{"id":76,"date":"2026-03-22T12:47:20","date_gmt":"2026-03-22T12:47:20","guid":{"rendered":"https:\/\/overlaps.co.uk\/docs\/?page_id=76"},"modified":"2026-04-02T10:47:42","modified_gmt":"2026-04-02T09:47:42","slug":"laps-debug","status":"publish","type":"page","link":"https:\/\/overlaps.co.uk\/docs\/overlaps-documentation\/configuration\/laps-debug\/","title":{"rendered":"LAPS Debug"},"content":{"rendered":"\n
\"A
LAPS Debug Setup<\/figcaption><\/figure>\n\n\n\n

If you are having problems with OVERLAPS reporting that LAPS passwords are not set or cannot be retrieved, you can use this section to query a specific Organizational Unit for its LAPS permissions.<\/p>\n\n\n\n

With the results, you should be looking either for the OVERLAPS server itself, or a group that the server belongs to, and checking that it has the required Read permission on the \u201cms-Mcs-AdmPwd\u201d property and Read\/Write permission on the \u201cmc-Mcs-AdmPwdExpirationTime\u201d property.<\/p>\n\n\n\n

If you do not find this, then additional configuration is required to allow OVERLAPS to access the properties. For more information on this, see Active Directory Permissions<\/a>.<\/p>\n\n\n\n

The Username<\/strong> and Password<\/strong> fields are optional. Leaving them blank will make OVERLAPS carry out the scan using its own credentials, which is the best way for testing your permissions.<\/p>\n\n\n\n

Scanning a Container<\/h2>\n\n\n\n
\"Screenshot
LAPS Debug Container Scan Results<\/figcaption><\/figure>\n\n\n\n

Running the scan on a Active Directory container will attempt to connect to the container object and find any LAPS-specific permissions set on it. Here you can see two groups have been setup with read\/write permission to the various legacy LAPS and Windows LAPS attributes, and the third entry (“NT AUTHORITY\\SELF”) is set by LAPS to allow computers to update their own password information.<\/p>\n\n\n\n

Scanning a Computer<\/h2>\n\n\n\n
\"Screenshot
LAPS Debug Computer Scan Results<\/figcaption><\/figure>\n\n\n\n

Running the scan on a specific computer instead will carry out the same tests as a Container scan, but will also attempt to read the LAPS password and expiry time. If this is successful then your permissions are setup correctly.<\/strong><\/p>\n\n\n\n

Note that the password is obscured automatically for security reasons, but as with bulk password retrieval you can reveal it by hovering your mouse over it or clicking on it.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you are having problems with OVERLAPS reporting that LAPS passwords are not set or cannot be retrieved, you can use this section to query a specific Organizational Unit for its LAPS permissions. With the results, you should be looking either for the OVERLAPS server itself, or a group that the server belongs to, and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":60,"menu_order":700,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-76","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/76","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/comments?post=76"}],"version-history":[{"count":2,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/76\/revisions"}],"predecessor-version":[{"id":411,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/76\/revisions\/411"}],"up":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/60"}],"wp:attachment":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/media?parent=76"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}