LAPS not working after Delegation

Question

LAPS not working after Delegation

john akin 1

Currently I have LAPS Group Policy applied to each OU of my AD environment and I'm able to generate credentials for the local admin account for all the various hosts that exist within them.

The is one OU that did not give the LAPS admin group permission to generate passwords. Unfortunately this was before my time and I don't understand why this OU was not configured to give permission to the LAPS group to generate passwords for its host. This OU does have the GP linked to it.

I proceeded to delegate control to the LAPS admin security group and give it permission to make changes as to the following attributes: ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. Despite following the guidance, I'm unable to generate passwords for hosts within the OU.

I have moved the hosts to other OUs and I'm to generate the credentials without any issues.

I noticed when I accessed the Advanced Security Settings for the OU without issues and compared to the one with issues that the LAPS security group has "Special" access under the Permission entries, however this is not the case for the OU that doesn't have LAPS work. I'd like some insight into why this is the case.

P.S. - I've had to manually delegate control to the LAPS security group for the non-operational OU, this is not the case for the other operational OUs. These where configured before my time.

Any help will be much appreciated!

Answer 1

Thameur-BOURBITA 15,736

Hi @john akin

To delegate user or group to reset LAPS you have to run the following command :

Set-AdmPwdResetPasswordPermission –Identity “OU Name” -AllowedPrincipals “User or Group Name”

Before running the command above , check if the inherited permissions is not disabled between this OU and its child object.

Please don't forget to mark helpful answer as accepted

john akin 1 Reputation point

2023-03-14T11:19:39.8566667+00:00

I've ran the command and I've confirmed that inherited permissions is enabled between this OU and its child object by default, however I'm still unable to generate a password for hosts within that OU
Thameur-BOURBITA 15,736 Reputation points

2023-03-14T12:15:23.9966667+00:00

did you check on impacted object in security tab if you see that parent permission on extended right are already applied

What about gpo setting for laps?
john akin 1 Reputation point

2023-03-14T16:38:13.9433333+00:00

Yes, permissions are inherited by default on the domain and for the rest of the OUs that have LAPS operational.

A question, on the Advanced Security Settings dialogue box for the OU with LAPS working, the LAPS Admin security group of Special applied under the Access tab. This is not the case for the other OU despite delegating control. How am I able to configure this?
Thameur-BOURBITA 15,736 Reputation points

2023-03-17T07:34:18.29+00:00
Hi @john akin

You should check if extented right is well configured on OU and computer objects:

GO to Advanced security settings for impacted computer to

![thumbnail image 3 of blog post titled

You Might Want to Audit Your LAPS Permissions....

](/api/attachments/b4909f33-fef7-419a-8d8b-835fa297439d?platform=QnA)

Check if extented rights is checked for Admin group:

![thumbnail image 1 of blog post titled

You Might Want to Audit Your LAPS Permissions....

](/api/attachments/96d7856a-89c9-4b2f-991b-a2ee46d02bc9?platform=QnA)

For more details : https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/you-might-want-to-audit-your-laps-permissions/ba-p/2280785

Please don't forget to mark helpful as accepted*

LAPS not working after Delegation

1 answer

Activity