Hi there,
I have followed several tutorials on how to enable LAPS in our UCS environment.
We raised the domain functional level to Windows Server 2016, extended the active directory schema to add the necessary attributes to objects and we also updated the permissions of the organizational units so that computer objects may update their own password attributes as described in numerous tutorials.
Now I have finally managed to deploy a powershell script via group policy , that creates a local admin account and I also created a group policy object that configures laps on my test clients.
using rsop.msc I can confirm that all policies are applied correctly.
Now whenever I run
Invoke-LapsPolicyProcessing -verbose
or
Reset-LapsPassword
I get the error message hr:0x80090034, there is absolutely no info on that to obtain in this specific context, since this is one of those ambiguous nonsense microsofty error messages that could mean anything.
Digging deeper I ran
Get-LapsDiagnostics
And in the zip file, I found some logs
There was a hint that said:
“This problem can occur if there is no KDS-Rootkey available…” And that I could run “Get-KdsRootKey” to get one.
Ran the command, did not fail but it didn’t solve the problem.
I hope someone on this forum maybe already set this up and can help me out.
Additional Info:
We’re running UCS 5.2-3
We migrated from a windows domain that exists since 2003 roughly 3 years ago using AD-Takeover to a purely UCS domain system.
Greetings and a happy new year to everyone
Joe