This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 63%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Having trouble getting laps to deploy properly. I’m guess it has something to do with our company using the default computer container location for all computers. I don’t really like it but I guess that’s how it will stay for now. Anyway I was able to successfully get LAPS to work in a test environment using an organizational unit.
On the environment that is not working I used the commands set-admpwdcomputersself permission -orgunit computers. The command completed but the problem is it shows blank when running the laps UI or via power shell commands. Also the attribute editor shows not set for ms-mcs-admpwd. Is there a way to apply this permission to the whole domain?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello johnsmith-3681,
How are things going on your end? Please keep me posted on this issue. I appreciate your time and efforts.
Your time is greatly appreciated.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hello johnsmith-3681,
Thank you for posting in our Q&A forum.
Here is the answer for your references.
We recommend that you put the machines that need to apply the LAPS password in an OU and then deploy LAPS just as you did in the test environment.
Because the default "Computers" container is a container not an OU, and you used the command "set-admpwdcomputersself permission -orgunit computers", I think "-orgunit" in the command should follow an OU instead of a container.
Q: Is there a way to apply this permission to the whole domain?
A: If you must want to deploy these permission in domain wide, you can try the following commands to see if it helps.
Set-AdmPwdComputerSelfPermission -Identity "DC=DOMAIN,DC=com"
Set-AdmPwdReadPasswordPermission -Identity "DC=DOMAIN,DC=com" -AllowedPrincipals "LAPSAdmins"
Set-AdmPwdResetPasswordPermission -Identity "DC=DOMAIN,DC=com" -AllowedPrincipals "LAPSAdmins"
Her is a similar thread.
https://social.technet.microsoft.com/Forums/en-US/13c23379-3a08-416c-a7f6-43caa7c507a9/laps-deployment-to-the-whole-domain
Tip: If you deploy LAPS in the domain wide, please make sure the LAPS does not apply on Domain Controller machines.
Other references for deploying LAPS.
https://theitbros.com/deploying-local-administrator-password-solution-laps-in-active-directory/
https://www.prajwaldesai.com/how-to-install-and-deploy-microsoft-laps-software/
Hope the information above is helpful.
Best Regards,
Daisy Zhou
==============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.