This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have deployed the LAPS and its working well.
We've assigned the permissions to IT support team to fetch the passwords and they are able fetch the password of All OU'S computers.
Environment: We've multiple sites and one IT support engineer is responsible to manage mange their site (Creation users, deletion etc in particular OU) .
Requirement: Every IT support engineer should have rights to fetch only it's own Site computers password.
He should not be able to fetch the passwords of any other OU computers.
How can we achieve this? I didn't find any option to this bifurcation. Please suggest.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Thanks for posting here!
LAPS is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints.
If you mean permission to read to local administrator password permission , you can delegate read access to a specific user or group on the specific OU by a Powershell command. Set-AdmPwdReadPasswordPermission –Identity “OU Name” –AllowedPrincipals “User or Group Name” For more details and steps you can refer to the following article:
https://blog.nowmicro.com/2018/02/28/configuring-laps-part-1-configuring-active-directory/
Please note: The mentioned product is owned and operated by a third party. Microsoft has no control regarding to the product's performance and reliability.
Best Regards,
I'm not asking about the delegation only, I know how to delegate and it's working already.
I want to confirm that how can I delegate users on OU level that a technician can see only it's OU computer passwords.
Hi,
If IT support engineer can be able to fetch the passwords of any other OU computers ,you can check change the permission by :
Right click the OU ,go to Properties -> Security, then click the Advanced button. Select the “Authenticated Users” (in this example) principal and click Edit.
Make sure that “All extended rights” is unchecked. Then click OK to apply the change.
Or you find other users should not be able to view the pc's password in this OU, you can change it by the same way(Make sure that “All extended rights” is unchecked ).
I had did a test : create 2 users LAPS1 and LAPS2
Assign permission for LAPS1 to view password in PC OU,but can't view password in SERVERS OU
Assign permission for LAPS2 to view password in SERVERS OU,but can't view password in PC OU
And it works perfectly .
Best Regards,