LAPS Setup in Child Domain

Adam Weight 41 Reputation points
2022-06-28T16:35:34.833+00:00

We have a 3 domain forest consisting of the root forest domain and two child domains. We have LAPS setup and functioning properly on the root domain of the forest. I am trying to implement LAPS for one of the child domains, and am running into issues. When I try to run any PS commands to view or setup LAPS configuration in the child domain I am receiving the error "The object does not exist." Searching online shows that this normally means the schema has not been updated. However, the schema is implemented and updated at the root of the forest, and the computer attributes do appear in the child domain as well, but I am still getting this error.

For example, in the child domain I am trying to run the following command to view the admpwdextendedrights:
Find-AdmPwdExtendedRights -Identity “OU=New Computers,DC=child,DC=root,DC=com” | ft

and receive the error: "Find-AdmPwdExtendedRights : The object does not exist."

This also happens when trying to add permissions for a group to administrate LAPS:
Set-AdmPwdReadPasswordPermission -Identity "OU=New Computers,DC=child,DC=root,DC=com" -AllowedPrincipals "LAPS_Admins"
error "Set-AdmPwdReadPasswordPermission : The object does not exist."

However, running these same commands against an OU in the root parent domain works as expected and returns results.

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
1,875 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,615 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,622 questions
{count} votes

Accepted answer
  1. Gary Reynolds 8,811 Reputation points
    2022-06-29T08:23:53.133+00:00

    Hi @Adam Weight

    I've tried the command from the root and child domain, and you do get errors if some of the information on the command line is wrong, but you can set the child domain permissions from the root domain controller, using a delegation group in the root.

    From the Root Domain Controllers, with the LAPS_Admin in the root domain:

    OU doesn't exist:
    216052-image.png

    Delegation group i.e. LAPS_Admins doesn't exist:
    215930-image.png

    Powershell prompt not running with Administrator Rights:
    216061-image.png

    Set the permissions on the root, with admin rights
    216036-image.png

    Setting permissions on an OU in the child domain, from the root domain
    215958-image.png

    From the child domain controller:

    Set the permissions for the delegation group in the root domain
    216025-image.png

    And the permissions set on the OU should that the root delegation group has been assigned the correct permissions:

    216013-image.png

    Gary.


0 additional answers

Sort by: Most helpful