question

MHussainArif-5163 avatar image
0 Votes"
MHussainArif-5163 asked FanFan-MSFT answered

Laps Segragation Per OU

We have deployed the LAPS and its working well.
We've assigned the permissions to IT support team to fetch the passwords and they are able fetch the password of All OU'S computers.

Environment: We've multiple sites and one IT support engineer is responsible to manage mange their site (Creation users, deletion etc in particular OU) .

Requirement: Every IT support engineer should have rights to fetch only it's own Site computers password.
He should not be able to fetch the passwords of any other OU computers.
How can we achieve this? I didn't find any option to this bifurcation. Please suggest.

windows-active-directorywindows-server-2016windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered MHussainArif-5163 commented

Hi,
Thanks for posting here!

LAPS is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints.
If you mean permission to read to local administrator password permission , you can delegate read access to a specific user or group on the specific OU by a Powershell command. Set-AdmPwdReadPasswordPermission –Identity “OU Name” –AllowedPrincipals “User or Group Name” For more details and steps you can refer to the following article:
https://blog.nowmicro.com/2018/02/28/configuring-laps-part-1-configuring-active-directory/
Please note: The mentioned product is owned and operated by a third party. Microsoft has no control regarding to the product's performance and reliability.


Best Regards,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm not asking about the delegation only, I know how to delegate and it's working already.
I want to confirm that how can I delegate users on OU level that a technician can see only it's OU computer passwords.

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
If IT support engineer can be able to fetch the passwords of any other OU computers ,you can check change the permission by :

Right click the OU ,go to Properties -> Security, then click the Advanced button. Select the “Authenticated Users” (in this example) principal and click Edit.
Make sure that “All extended rights” is unchecked. Then click OK to apply the change.
Or you find other users should not be able to view the pc's password in this OU, you can change it by the same way(Make sure that “All extended rights” is unchecked ).

I had did a test : create 2 users LAPS1 and LAPS2
Assign permission for LAPS1 to view password in PC OU,but can't view password in SERVERS OU
Assign permission for LAPS2 to view password in SERVERS OU,but can't view password in PC OU

And it works perfectly .

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.