I've activated Local Administrator Password Solution (LAPS) in my test setup which includes Windows Server 2025 and Windows 11. I can access the passwords generated by LAPS, but I'm running into issues when trying to log in with the WLapsAdmin account on the client system; it appears to be deactivated.
Originally, I configured LAPS to manage the local administrator account, which seems to have been renamed to WLapsAdmin. The account was deactivated from the start, so I created a policy to activate it, but ended up having to activate it manually because it didn't have a strong enough password until recently. Now that the password issue is sorted out, everything seems functional, except WLapsAdmin is still deactivated.
I've noticed that the policy meant to activate the local administrator account isn't working correctly. I keep getting logs with event ID 10101 indicating something tried to alter the externally managed account each time I run `gpupdate /force`. After I turned off the relevant policy settings, the warnings stopped appearing.
When I attempted to manually activate WLapsAdmin using `net user WLapsAdmin /active:yes`, I received System Error 8654, which says the account is controlled by an external policy. This leads me to believe there's a specific way to re-enable this account that I'm missing.
In short, my local LAPS admin account is deactivated, and I'm unsure why or how to reactivate it properly.
2 Answers
It sounds like WLapsAdmin is just the renamed default local administrator account, which is typically deactivated. After you configured LAPS for the default account, it likely got renamed and deactivated due to the policy you set. Make sure you're using the correct local account login attempt. If you see it showing deactivated when you check with `net user wlapsadmin`, that confirms the issue. You might need to tweak the policies surrounding that account to get it reactivated properly.
You might want to check the Security Identifier (SID) of the WLapsAdmin account on your test machine. If it's indeed a local account, you can try logging in using the format .WLapsAdmin—have you given that a shot?
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures