LAPS Deployment to the whole domain RRS feed

  • Question

  • If we use the below commands to setup LAPS for the whole domain instead of by OU is that ok to do? I am reading about setting up by OU but we just want to set it and forget it, that way in the future we will not have to remember to run the commands when new OU's come online.

    Set-AdmPwdComputerSelfPermission -Identity "DC=DOMAINx,DC=org"


    Set-AdmPwdReadPasswordPermission -Identity "DC=DOMAINx,DC=org" -AllowedPrincipals "LAPSAdmins"


    Set-AdmPwdResetPasswordPermission -Identity "DC=DOmainx,DC=org" -AllowedPrincipals "LAPSAdmins"

    I have it on good authority that if you type Google into Google you will bring down the internet...

    Monday, August 14, 2017 3:51 PM

All replies

  • Hi,

    Set-AdmPwdComputerSelfPermission - delegation rights to the machines

    Set-AdmPwdReadPasswordPermission & Set-AdmPwdResetPasswordPermission - user permissions for reading and resetting password.

    You can deploy LAPS domain wide but I would only deploy that for machine delegation rights and not permissions for admins. If you already have a "LAPSAdmins" group assume the group itself isn't going to move OU, I'm really not sure what impact permissions Domain wide would have on LAPS. I would target the OU and group only for permissions.

    Wednesday, August 23, 2017 2:20 PM