LAPS - revoking access of a group

Antoine TORGANI 11 Reputation points
2020-09-28T14:11:51.023+00:00

Hello,

I added a group with Set-AdmPwdReadPasswordPermission on a OU and now i need revoke this access because we have somes sub OU where this group dont need have access.

When I try use ADSI edit for revoking access, all extend rights is unchecked and ms-Mcs-AdmPwd atribut not present.

Is there any way to revoke by powershell. May a remove-AdmPwdReadPasswordPermission ?

thank you

LAPS

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,899 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,381 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fan Fan 15,291 Reputation points Microsoft Vendor
    2020-09-29T01:14:15.883+00:00

    Hi,
    Based on my research, there is not such a command to remove the permission.
    You can do it through the security lab on the sub OU directly.
    Best Regards,

  2. bahnjee 21 Reputation points
    2021-04-15T15:08:11.91+00:00

    I'm in a similar boat. However, in my situation, Find-AdmPwdExtendedRights shows that BUILTIN\Users has read access but there's no such item listed in the OU's properties. The closest thing is MyDomain\Users, but their All extended rights box is not checked.

    Can anyone provide a way to remove BUILTIN\Users?

    0 comments