MicrosoftI have gone through the steps outlined in the LAPS Operations Guide, and everything works. The problem I am having is that two test "domain users" that are not in any privileged groups can see the password (meaning all non-privileged users can see the password). I checked permission on the computer OU, and the two specific users do not have "all extended rights". I ran the powershell command Find-AdmPwdExtendedRights on the OU, and it only lists {NT AUTHORITY\SYSTEM, CITY\Domain Admins}. Check effective permission, and it does list Authenticated users having rights to "read all properties", and the two attributes are also checked. Looking that the document (and the screen shot above), it appears that the "read all properties" is ok, as long as the "all extended rights" is not set. I don't know where else to look.
