-
Title
ms-Mcs-AdmPwd Attribute Displays Empty When Connected to Windows Server 2025 Domain Controller -
Description
When Active Roles is connected to a Windows Server 2025 Domain Controller, the ms-Mcs-AdmPwd attribute (used by Microsoft LAPS) appears empty in the Console or Web Interface.
However, when the same instance is accessed through a Windows Server 2022 or earlier Domain Controller, the ms-Mcs-AdmPwd value is displayed correctly.
-
Cause
This behavior occurs due to cryptographic changes introduced in Windows Server 2025 as part of Microsoft LAPS v2 (Windows LAPS).
Active Roles currently supports only LAPS v1, which relies on legacy encryption mechanisms. The new LAPS v2 implementation uses enhanced cryptography and storage methods that are not compatible with the way Active Roles retrieves and decrypts the ms-Mcs-AdmPwd attribute.
As a result, when connected to a Windows Server 2025 DC, Active Roles cannot display the password value.
-
Resolution
At this time, Active Roles does not support Microsoft LAPS v2.
WORKAROUNDS:
-
Connect Active Roles to a Windows Server 2022 or earlier Domain Controller to view ms-Mcs-AdmPwd values.
-
Manage LAPS v2 passwords and configurations directly through Active Directory Users and Computers (ADUC) or Microsoft Intune.
Note: Future versions of Active Roles 8.3 may include support for LAPS v2 as product updates become available.
-