Closed red-erik closed 2 years ago
Solved: to help others, the problem is that gMSA account NEEDS write access to AdmPwdExpirationTime too and not only read access to pwd attibutes. Analyzing you script it is clear but I suggest you to underline it into instructions too. https://github.com/lithnet/access-manager/wiki/Creating-a-service-account-for-the-Access-Manager-Service Domain permissions AMS does need specific rights depending on how you plan to use it. For example, if you are reading Microsoft LAPS passwords, then you'll need to ensure the appropriate read "AND WRITE" permissions are granted.
Hi, In my case, it said something like 'the computer does not have a password and in the log, I had errors : Unable to get password from provider 'Windows LAPS (encrypted) AD provider' System.UnauthorizedAccessException: Access is denied. This solution also helped me 👍
Access Denied
Hello, basic setup with a Single Forest with multiple domains. Service used is a gMSA with proper delegations on requested OU. Permission assigned correctly but in the log we receive "System.UnauthorizedAccessException: Access is denied.". Through web interface we receive "Unable to process request An error occurred while trying to access the local admin password". Any help or suggestion greatly appreciated. Regards, Red.