LAPS manages the password of the local administrator account of the domain-joined clients or servers on the domain controller by GPO. If you want to deploy LAPS to all workstations only but not server and domain controllers, you can only add the computers you want to this OU.
Author: Bob Lin
Can or should we install LAPS on Domain Controller?
LAPS managed computers can be any joined domain computer, the domain-joined clients or servers on the domain controller including DC. There are the steps to configure LAPS
1 Installation of GP CSE (Group Policy Client Side Extension) via MSI installation
1-1 On management computers
1-2 On clients to be managed
2 AD preparation
2-1 schema extension
2-2 Permission updates
3 Group policy configuration
How to renew or reactivate certificate
In this article we use ssls.com certificate as example to show you how to renew or reactivate certificate.
- Log in to account in certificate authority website and find renew or reactive page, perhaps under MY SSL
2. Click Renew or Reactivate.
3. In Reissue for: Verify that the domain name you want a reissued certificate for is correct.
4. Save private key: You have two options, download the new key automatically generated in your browser (this is default) or submit a manually generated CSR.
Note: The private key will be downloaded to the local computer, perhaps, download folder.
5. Complete Domain Control Validation (DCV)
Before the Certificate Authority (CA) can issue SSL, they need to verify that the organization or individual has the right to receive the SSL certificate.
You may have three options:
Email Validation — receive an email at a domain-based or whois email.
HTTP Validation — upload the validation file at your host.
DNS Validation — set up a CNAME record in the domain’s DNS zone.
6. Choose approval email
In our example, select “Receive an email” as the domain control validation method. The contact email address from WHOIS or one of the following generic domain-based emails:
- admin@
- administrator@
- postmaster@
- webmaster@
- hostmaster@
7. Domain Control Validation by email.
The organization administrator may receive the email. It looks like this.
8. Follow the email link to complete DCV.
9. You should receive the Certificate after DCV
It may take a few minutes. It looks like this email.
Note: You can also download the certificate from website
10. Install Certificate in Windows server using MMC
Step 1: Run Microsoft Management Console (MMC).
Step 2. Add Snap-in
Step 3. Add Certificate.
Step 4. Check Computer account.
Step 5. Import Certificate, for example Highlight Personal>All Tasks>Import.
Step 6. Click Next in Welcome to the Certificate Import Wizard and make sure Local Machine is checked.
Step 7. Follow the wizard to complete the import.
11. Check the Certificate by double click on the imported certificate.
How to add multiple email addresses to a domain account
Situation: The client has multiple email addresses for their users. They would like to know how to setup multiple email addresses for each domain account.
Resolution: we can modify Attribute Editor in Active Directory Users and Computers.
- Make sure Advanced Features are checked in Active Directory Users and Computers.
2. Right click on Properties.
3. Click on Attribute Editor.
4. Highlight proxyAddresses and click on Edit.
5. Add your default email address using SMTP (UP CASES), other email addresses smtp (low cases).
6. Click OK to save the settings.
How to disable LAPS temporally
Situation: After configuring Local Administrator Password Solution (LAPS), the client finds LAPS generates a password for all computers local administrator passwords. However, some of computers are using Local administrator to run apps and Servies. They wonder if they can disable LAPS temporarily or exclude computer administrator.
Resolution: you can disable “Link Enable” Group Policy or remove those computers from the OU policy. You may re-apply group policy by running gpupdate /force
Can we force LAPS to reset password?
Yes, you can. Quoted from Microsoft:
Force Password Reset
- Forcing an update of the password on a system is done through updating the next expiration time either through Powershell or through the LAPS UI client. The password will reset on the next Group Policy refresh following the expiration time.
- Powershell requires the AdmPwd.ps module and the cmdlet is:
- Reset-AdmPwdPassword -ComputerName <computername> -WhenEffective <date time>
- Resetting through the LAPS UI client can be done by searching for the relevant system, entering the next desired expiration time, and pressing the set button.
- Note: administrators can still reset the local administrator password manually through local Administrative Tools but the new password will not be reflected in the computer object in AD and the next reset will occur as scheduled.
If this machine needs to be managed, we need to manually reset the LAPS password on the domain controller or wait for the expiration time to reset the password automatically, and then the new LAPS password can be used to log in (this is what you do in step 7).
Summary: For machines in the domain, the local administrator can still manually reset the local administrator password through the local management tool, but the new password will not be reflected in the computer object of AD. At this time, you can only log in with the reset password.
If you manually reset the LAPS password on the domain controller (I set new expiration day manually) or wait for the LAPS password expiration time to automatically reset the LAPS password, let the system reassign a password that complies with the password policy, after that you can use the new LAPS login.
How to force Veeam Backup to run Full backup
Right click on the Backup Job. Click on Active Full.
How to force Microsoft 365 DirSync
Situation: The client use Microsoft 365 / Azure DirSync to synchronize their Active Directory to Azure Directory. The default setup is 15 minutes to sync. They would like to know how to force sync.
You can run Powershell command: Start-ADSyncSyncCycle -PolicyType Initial
Fixing “The operation cannot be performed because the message has been changed”
Situation: When working on Outlook, you may receive this message “The operation cannot be performed because the message has been changed” randomly.
Resolution 1: Run Outlook repair. Go to File>Account Settings>Repair.
You can use the Inbox Repair tool (SCANPST.EXE) to diagnose and repair errors in your Outlook data file.
Resolution 2: Run office online repair.
Resolution 3: Try running the SARA Tool: https://diagnostics.outlook.com/#/
Resolution 4: It could be add-ins issue. Go to Outlook add-in Adobe Send & Track for Microsoft Outlook – Acrobat. Disabling it.
Resolution 5: Enable Exchange cached mode.
Resolution 6: That happens because you may have a large email size so that you must wait a moment for the sync completed.
Resolution 7: This seems to be a problem only with IMAP accounts.
I fixed my problem on the IMAP account (which, ahem, started after a Microsoft update) by using Outlook’s “repair” tool:
– In Outlook, right click on the mailbox in the left-side navigation bar.
– Choose “Account Properties.”
– In a blue toolbar about 1/3 of the way down the window, “Repair” is one of the choices.
– Click Repair. It only took about 5 seconds.
If you move the emails and receive this popup,
- Open Outlook > File > Options > Mail > Under Conversation Clean up, Uncheck When a reply modifies a message, don’t move the original > Restart Outlook (it is is already unchecked, check it Restart Outlook, Uncheck it and Restart Outlook)
2. If above doesn’t work, uncheck all options under Conversation Clean Up
3. Account Settings > Open your account > More settings > Under Advanced tab, put INBOX in Root Folder Path. (If your all folders disappear, simply remove INBOX from here). Note: Do NOT use option # 3 above. With an IMAP account this will empty an entire folder! Really, REALLY dumb suggestion that cost me a ton of data!
4. Select Cleaned up items will go to this folder.
This is a known issue with IMAP accounts. The change (read state) needs to sync with the server before you can move it, which only takes a split second, but outlook keeps a hold on the message until you switch messages.
How to check the size and file (*.OST) location of mailbox in Outlook
To find the size of your mailbox, follow these steps;
1. With Outlook open, click your account.
2. Click Folder on the top menu.
3. Click on Folder Properties.
4. Click Folder Size at the bottom of the pane.
5. You’ll see that the size for the mailbox and each subfolder is indicated in kilobytes (KB).
To find the email file (*.ost) location, right click on your email account and select Open File Location.
You will see *.ost file located in C:\Users\username\AppData\Local\Microsoft\Outlook