Would like to allow one user on one computer to view their local admin password via LAPS - is it possible? RRS feed

  • Question

  • A previous domain admin set up LAPS for our entire domain several years ago, and it's worked out pretty well. We have a group of users, developers, who our directors have decided can be allowed to view the LAPS-generated admin password for their specific machine.

    Right now, those developer users are in the same OU as the rest of our users, and their computers are in the same OU as the rest of the Windows 10 computers. No separation.

    I was wondering if it's possible to use the Set-AdmPwdReadPasswordPermission in powershell to allow just the user in question, to read his own password in LAPS-UI. Then our devs can just copy the password out of LAPS-UI, right click on their program they want to install, run as administrator, and use his localadmin account.


    Set-AdmPwdReadPasswordPermission -Identity devcomputer1 -AllowedPrincipals Domain\devusername1

    This isn't working at the moment, as it says "Object not found" - I'm not a powershell expert and I'm kind of taking on this task since the prior domain admin left. Am I barking up the wrong tree? Do I need to segregate the devcomputers into their own OU, and the devusernames into their own OU as well in order to do this? Do I need to write out the full path to devcomputer1 as fqdn/OU/OU/computername? And the AllowedPrincipals as Domain\Group or can I use Domain\User?

    According to this article, the author says "Granting Rights to User or Groups to Read and Reset the Password" (emphasis mine) which implies to me that it should be possible to allow an individual user the right to do something, but I'm not sure about the individual computer? We'd like to do as little messing with how computers are laid out in the OUs as possible for GPO purposes.

    Can anyone tell me if what I'm suggesting is possible, and if so, what I'm missing in terms of the proper way to write it out in powershell? Also, pardon my ignorance, but do I need to do run these commands while in a powershell window on the devcomputer? Or can I run it on any machine that has access to write to AD?

    Thursday, July 26, 2018 7:46 PM

All replies