issue upgrading to v2 using encrypted passwords

[CodeNameTheOnlyOne]

looks like you put the encrypted passwords behind the enterprise version in v2. what is the best method of updating my v1 instance that is currently using encrypted passwords. my plan was to install v2 on a new server, get it up and running then cutover via dns, but its failing to read passwords because they are encrypted.,eg (An encrypted Lithnet LAPS password was found, but the license does not allow the use of this password type)

what is the best way to make this migration?

[ryannewington]

@CodeNameTheOnlyOne

My apologies, but you are correct in that the encrypted capabilities are now an enterprise edition feature.

The easiest way to get up and running is to modify your GPO to enable MS LAPS compatibility. This will write the ms-mcs-AdmPwd attribute value, which AMSv2 will be able to read.

https://docs.lithnet.io/ams/configuration/deploying-features/setting-up-lithnet-laps/setting-up-lithnet-laps-for-active-directory#step-5-configure-the-access-manager-agent-group-policy

If you want to retain those encrypted capabilities, reach out to us here to request a quote. We're also happy to issue a trial license so you can test all the features of v2. https://lithnet.io/products/access-manager/quote

[CodeNameTheOnlyOne]

do i need to upgrade the laps agent to support this change? i doubt these features existed when i initially deployed it. would it be better for me to just switch to the msft laps agent vs running yours in compatibility mode?

[CodeNameTheOnlyOne]

@ryannewington also would probobly help some people if you had the ui warn in this scenario, as i had to look in event viewer for it to tell me anything other than "The requested computer does not have a local admin password"

[ryannewington]

The Microsoft LAPS compat setting has been there since v1.

You can certainly replace the agent with the Microsoft one - that will work. I was just thinking of the fastest way to get it up and running, and the GPO would be one click.

Both will work.

[ryannewington]

@ryannewington also would probobly help some people if you had the ui warn in this scenario, as i had to look in event viewer for it to tell me anything other than "The requested computer does not have a local admin password"

That's very valid feedback - we'll take that on board and see what we can do about making this more obvious

[CodeNameTheOnlyOne]

i assume i will need to wait for the passwords to age out or will the gpo trigger them to update right away

[ryannewington]

They will need to age out, but you can speed this up by dropping the maximum password age temporarily, and then increasing it again later.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.