Laps permissions

john smith 1 Reputation point

Having trouble getting laps to deploy properly. I’m guess it has something to do with our company using the default computer container location for all computers. I don’t really like it but I guess that’s how it will stay for now. Anyway I was able to successfully get LAPS to work in a test environment using an organizational unit.

On the environment that is not working I used the commands set-admpwdcomputersself permission -orgunit computers. The command completed but the problem is it shows blank when running the laps UI or via power shell commands. Also the attribute editor shows not set for ms-mcs-admpwd. Is there a way to apply this permission to the whole domain?

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,148 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 13,786 Reputation points Microsoft Vendor

    Hello johnsmith-3681,

    Thank you for posting in our Q&A forum.

    Here is the answer for your references.

    We recommend that you put the machines that need to apply the LAPS password in an OU and then deploy LAPS just as you did in the test environment.
    Because the default "Computers" container is a container not an OU, and you used the command "set-admpwdcomputersself permission -orgunit computers", I think "-orgunit" in the command should follow an OU instead of a container.

    Q: Is there a way to apply this permission to the whole domain?
    A: If you must want to deploy these permission in domain wide, you can try the following commands to see if it helps.

    Set-AdmPwdComputerSelfPermission -Identity "DC=DOMAIN,DC=com"

    Set-AdmPwdReadPasswordPermission -Identity "DC=DOMAIN,DC=com" -AllowedPrincipals "LAPSAdmins"

    Set-AdmPwdResetPasswordPermission -Identity "DC=DOMAIN,DC=com" -AllowedPrincipals "LAPSAdmins"

    Her is a similar thread.

    Tip: If you deploy LAPS in the domain wide, please make sure the LAPS does not apply on Domain Controller machines.

    Other references for deploying LAPS.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments