How is the LAPS Client Install State determined?

Our LAPS Dashboard shows hundreds of systems with a LAPS password in AD, but the LAPS Client Install State of the dashboard shows that none of them have the LAPS Client installed. That’s not true, as we installed the 64-bit client on all the reporting systems. What does ReCast look for?

Hi there,

The account attempting to load the dashboard with should have read access to your CM database and AD permission to read the LAPS password attribute. LAPS Dashboard | Recast Docs

We can read the LAPS passwords, and of course the user accounts accessing the SCCM admin console have Read rights to the DB. It’s just that the dashboard is not reporting that the LAPS client is installed when it most certainly is. HW Inventory for Installed Software shows that it is installed.

Can we verify in SQL that the accounts opening the dashboard explicitly have at least db_datareader to the ConfigMgr database.

I’ll check that but why would RCT use something different than the standard SCCM security accounts? I’ve never had to touch SQL security in 20+ years of SMS/SCCM administration!

Hi there,

I hope all is well. Sadly not all of our actions would be possible without additional permissions. Also were you able to confirm the SQL account has the db_datareader permission to the ConfigMgr database?

My user account had the db_datareader membership via it’s security group. I explicitly added it but the dashboard still shows no LAPS clients installed. Again, where are you looking for the LAPS clients? They do show up in HW Inventory.
RCT version 4.9.2207

Thanks,
Russell

Hi Russel,

When you have a second, can you post a screenshot of what you’re seeing in HW Inventory? We parse for a Display Name value of “Local Administrator Password Solution” in your add remove programs data.

Best,

Branden

Hi Branden,
Here’s what we see in report “Computers with specific software registered in Add Remove Programs”:

image

Thanks,
Russell

Thank you! Could you also send over a screenshot for what you see in resource explorer for one of the devices that should have LAPS installed but it isn’t shown as installed in the report?

Example:

You should probably see this, too.
image

Thank you.

Please run this query if using SQL:
select R.*
from
v_R_System R
left join v_GS_ADD_REMOVE_PROGRAMS_64 ARP on ARP.resourceid = R.resourceid
where
ARP.displayname0 = ‘Local Administrator Password Solution’

Or this query if using WQL:
select sms_g_system_add_remove_programs_64.resourceID from sms_g_system_add_remove_programs_64 where sms_g_system_add_remove_programs_64.displayname = ‘Local Administrator Password Solution’

Afterwards, please send the results to support@recastsoftware.com.