question

antocaptain avatar image
0 Votes"
antocaptain asked bahnjee-6065 answered

LAPS - revoking access of a group

Hello,

I added a group with Set-AdmPwdReadPasswordPermission on a OU and now i need revoke this access because we have somes sub OU where this group dont need have access.

When I try use ADSI edit for revoking access, all extend rights is unchecked and ms-Mcs-AdmPwd atribut not present.

Is there any way to revoke by powershell. May a remove-AdmPwdReadPasswordPermission ?

thank you


LAPS

windows-server-powershellwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
Based on my research, there is not such a command to remove the permission.
You can do it through the security lab on the sub OU directly.
Best Regards,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

bahnjee-6065 avatar image
0 Votes"
bahnjee-6065 answered

I'm in a similar boat. However, in my situation, Find-AdmPwdExtendedRights shows that BUILTIN\Users has read access but there's no such item listed in the OU's properties. The closest thing is MyDomain\Users, but their All extended rights box is not checked.

Can anyone provide a way to remove BUILTIN\Users?




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.