Hmm, it seems like you’re doing everything correctly.
It may sound dumb but are you typing in the admin password? I prefer to use Remote Desktop, then copy/paste the password, as I find it difficult to distinguish between some of the characters.
And the account you’re trying to log into is the built in local administrator (assuming you didn’t point LAPS at a different account) using “.administrator” to prevent it from trying to use a domain account.
Other than that I’m running out of ideas for you to try, sorry.
Strange… When you set the expiration to a date in the past, after restarting the client, did the password in ADUC/LAPS UI change? When you look at your group policy scope and filtering is the computer object subject to your LAPS policy?
If you have another administrator account you can log in with you could open an elevated command prompt and run “gpresults /r”. Verify under the Computer Settings > Applied Group Policy Objects section that you see your LAPS policy.
It may be the case that the computer object is not in the correct OU or group.