Hello Franz Schenk,
Thank you for posting in Microsoft Community forum.
Have tried to execute "Set-LapsADComputerSelfPermission -Identity LAPS-Pilotserver". This doesn't work (error "the search filter is invalid"). But when executing the same command with the full DN Name of the OU "LAPS-Pilotserver" the command works.
A: You can also use the DN in the command.
There must be an issue with the rights to read the passwords. When running "Find-LapsADExtendedRights", I get only the OU. According the documentation, the domain admin group should be in the list.
A: It seems the DN of the OU is too long, you can not see the part of ExtendedRightHolders from the command result (I can see ... from the result).
You can try to copy and paste the result on the first screenshot to check the result.
Or you can export the result on the first screenshot to one txt file to check the result.
1.Please check if you can see the LAPS pasword via command Get-LapsADPassword -Identity ComputerName -AsPlainText
Note: you should change the computername using one machine name in the OU.
2.Please check if you have configured password policy within one GPO and link the GPO to the OU.
References:
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.