Find-LapsADExtendedRights
Queries Active Directory (AD) to find principals that have been granted permission to read Windows Local Administrator Password Solution (LAPS) password attributes.
Syntax
Default (Default)
Find-LapsADExtendedRights
[-Credential <PSCredential>]
-Identity <String[]>
[-Domain <String>]
[-DomainController <String>]
[-IncludeComputers]
[<CommonParameters>]
Description
The Find-LapsADExtendedRights cmdlet is used by administrators to query which principals have
been granted permissions to read the LAPS password attributes.
Examples
Example 1
Find-LapsADExtendedRights -Identity LapsTestOU
ObjectDN ExtendedRightHolders
-------- --------------------
OU=LapsTestOU,DC=laps,DC=com {NT AUTHORITY\SYSTEM, LAPS\Domain Admins, LAPS\LapsAdmins}
This example shows how to run the cmdlet.
Parameters
-Credential
Specifies the credentials to use when updating AD. If not specified, the current user's credentials are used.
Parameter properties
| Type: | PSCredential |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Domain
Specifies the name of the domain to connect to.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-DomainController
Specifies the name of the domain controller to connect to.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Identity
Specifies the name of the OU to query.
This parameter accepts several different name formats that influence the criteria used in the resultant AD search. The supported name formats are as follows:
- distinguishedName (begins with a
CN=) - name (for all other inputs)
Querying permissions on the domain root is only supported using the distinguishedName input format, for example 'DC=laps,DC=com'.
Parameter properties
| Type: | String[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-IncludeComputers
Specify this parameter to also check computer objects for the permissions.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.