Laps permissions

john smith 1 Reputation point
2022-10-27T20:38:43.987+00:00

Having trouble getting laps to deploy properly. I’m guess it has something to do with our company using the default computer container location for all computers. I don’t really like it but I guess that’s how it will stay for now. Anyway I was able to successfully get LAPS to work in a test environment using an organizational unit.

On the environment that is not working I used the commands set-admpwdcomputersself permission -orgunit computers. The command completed but the problem is it shows blank when running the laps UI or via power shell commands. Also the attribute editor shows not set for ms-mcs-admpwd. Is there a way to apply this permission to the whole domain?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,954 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 20,461 Reputation points Microsoft Vendor
    2022-11-01T03:52:45.853+00:00

    Hello johnsmith-3681,

    Thank you for posting in our Q&A forum.

    Here is the answer for your references.

    We recommend that you put the machines that need to apply the LAPS password in an OU and then deploy LAPS just as you did in the test environment.
    Because the default "Computers" container is a container not an OU, and you used the command "set-admpwdcomputersself permission -orgunit computers", I think "-orgunit" in the command should follow an OU instead of a container.

    Q: Is there a way to apply this permission to the whole domain?
    A: If you must want to deploy these permission in domain wide, you can try the following commands to see if it helps.

    Set-AdmPwdComputerSelfPermission -Identity "DC=DOMAIN,DC=com"

    Set-AdmPwdReadPasswordPermission -Identity "DC=DOMAIN,DC=com" -AllowedPrincipals "LAPSAdmins"

    Set-AdmPwdResetPasswordPermission -Identity "DC=DOMAIN,DC=com" -AllowedPrincipals "LAPSAdmins"

    Her is a similar thread.
    https://social.technet.microsoft.com/Forums/en-US/13c23379-3a08-416c-a7f6-43caa7c507a9/laps-deployment-to-the-whole-domain

    Tip: If you deploy LAPS in the domain wide, please make sure the LAPS does not apply on Domain Controller machines.

    Other references for deploying LAPS.
    https://theitbros.com/deploying-local-administrator-password-solution-laps-in-active-directory/

    https://www.prajwaldesai.com/how-to-install-and-deploy-microsoft-laps-software/

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ==============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments