Currently I have LAPS Group Policy applied to each OU of my AD environment and I'm able to generate credentials for the local admin account for all the various hosts that exist within them.
The is one OU that did not give the LAPS admin group permission to generate passwords. Unfortunately this was before my time and I don't understand why this OU was not configured to give permission to the LAPS group to generate passwords for its host. This OU does have the GP linked to it.
I proceeded to delegate control to the LAPS admin security group and give it permission to make changes as to the following attributes: ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. Despite following the guidance, I'm unable to generate passwords for hosts within the OU.
I have moved the hosts to other OUs and I'm to generate the credentials without any issues.
I noticed when I accessed the Advanced Security Settings for the OU without issues and compared to the one with issues that the LAPS security group has "Special" access under the Permission entries, however this is not the case for the OU that doesn't have LAPS work. I'd like some insight into why this is the case.
P.S. - I've had to manually delegate control to the LAPS security group for the non-operational OU, this is not the case for the other operational OUs. These where configured before my time.
Any help will be much appreciated!
did you check on impacted object in security tab if you see that parent permission on extended right are already applied
What about gpo setting for laps?
Yes, permissions are inherited by default on the domain and for the rest of the OUs that have LAPS operational.
A question, on the Advanced Security Settings dialogue box for the OU with LAPS working, the LAPS Admin security group of Special applied under the Access tab. This is not the case for the other OU despite delegating control. How am I able to configure this?
Hi @john akin
You should check if extented right is well configured on OU and computer objects:
GO to Advanced security settings for impacted computer to

Check if extented rights is checked for Admin group:

For more details : https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/you-might-want-to-audit-your-laps-permissions/ba-p/2280785
Please don't forget to mark helpful as accepted*
Sign in to comment