Laps Segragation Per OU

Muhammad Hussain 201 Reputation points
2020-08-06T17:57:59.537+00:00

We have deployed the LAPS and its working well.
We've assigned the permissions to IT support team to fetch the passwords and they are able fetch the password of All OU'S computers.

Environment: We've multiple sites and one IT support engineer is responsible to manage mange their site (Creation users, deletion etc in particular OU) .

Requirement: Every IT support engineer should have rights to fetch only it's own Site computers password.
He should not be able to fetch the passwords of any other OU computers.
How can we achieve this? I didn't find any option to this bifurcation. Please suggest.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,503 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,525 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,652 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Fan Fan 15,341 Reputation points Microsoft Vendor
    2020-08-07T03:15:58.587+00:00

    Hi,
    Thanks for posting here!

    LAPS is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints.
    If you mean permission to read to local administrator password permission , you can delegate read access to a specific user or group on the specific OU by a Powershell command. Set-AdmPwdReadPasswordPermission –Identity “OU Name” –AllowedPrincipals “User or Group Name” For more details and steps you can refer to the following article:
    https://blog.nowmicro.com/2018/02/28/configuring-laps-part-1-configuring-active-directory/
    Please note: The mentioned product is owned and operated by a third party. Microsoft has no control regarding to the product's performance and reliability.

    Best Regards,


  2. Fan Fan 15,341 Reputation points Microsoft Vendor
    2020-08-10T04:57:58.327+00:00

    Hi,
    If IT support engineer can be able to fetch the passwords of any other OU computers ,you can check change the permission by :

    Right click the OU ,go to Properties -> Security, then click the Advanced button. Select the “Authenticated Users” (in this example) principal and click Edit.
    Make sure that “All extended rights” is unchecked. Then click OK to apply the change.
    Or you find other users should not be able to view the pc's password in this OU, you can change it by the same way(Make sure that “All extended rights” is unchecked ).

    I had did a test : create 2 users LAPS1 and LAPS2
    Assign permission for LAPS1 to view password in PC OU,but can't view password in SERVERS OU
    Assign permission for LAPS2 to view password in SERVERS OU,but can't view password in PC OU

    And it works perfectly .

    Best Regards,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.