LAPS not working after Delegation

Question

Currently I have LAPS Group Policy applied to each OU of my AD environment and I'm able to generate credentials for the local admin account for all the various hosts that exist within them.

The is one OU that did not give the LAPS admin group permission to generate passwords. Unfortunately this was before my time and I don't understand why this OU was not configured to give permission to the LAPS group to generate passwords for its host. This OU does have the GP linked to it.

I proceeded to delegate control to the LAPS admin security group and give it permission to make changes as to the following attributes: ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. Despite following the guidance, I'm unable to generate passwords for hosts within the OU.

I have moved the hosts to other OUs and I'm to generate the credentials without any issues.

I noticed when I accessed the Advanced Security Settings for the OU without issues and compared to the one with issues that the LAPS security group has "Special" access under the Permission entries, however this is not the case for the OU that doesn't have LAPS work. I'd like some insight into why this is the case.

P.S. - I've had to manually delegate control to the LAPS security group for the non-operational OU, this is not the case for the other operational OUs. These where configured before my time.

Any help will be much appreciated!

Answer 1

Hi @john akin

To delegate user or group to reset LAPS you have to run the following command :

Set-AdmPwdResetPasswordPermission –Identity “OU Name” -AllowedPrincipals “User or Group Name”

Before running the command above , check if the inherited permissions is not disabled between this OU and its child object.

Please don't forget to mark helpful answer as accepted