Hello alphadeltaromeo,
Thank you for posting in our Q&A forum.
Based on the description, I understand all the servers in an OU did not have LAPS password, but the servers have the AD attributes ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime.
Whether it is a parent OU? If so, please run the following commands first on DC (you can change Domain Admins to other administrator account or other admin group depending on your needs).
Set-AdmPwdComputerSelfPermission -OrgUnit OUName
Set-AdmPwdReadPasswordPermission -OrgUnit OUName -AllowedPrincipals "Domain Admins"
Set-AdmPwdResetPasswordPermission -OrgUnit OUName -AllowedPrincipals "Domain Admins"
Q: my question is how do i check the existing configuration - ie. the OUs that 'Set-AdmPwdReadPasswordPermission' was run on?
A: Please check as below:
1.Right click this OU and select Properties.
2.Click Security tab and click Advanced button.
3.Find if there is any entry that you configured on this OU.
4.Click the entry if there is, and click Edit (but you do not need to edit it) button.
5.Check if the specific group or user has Read ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime OR write ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime permissions ( if yes, the corresponding permissions should be Checked).
Hope the information above is helpful.
Best Regards,
Daisy Zhou
===============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.