Microsoft
Microsoft
>>can the transition from Legacy LAPS be solved by uninstalling the legacy Laps client and setting new policies at the same time?
Yes that is a good approach. We will be fixing the bug that was called out at the bottom of the article in an upcoming update.
>>Where are passwords stored using the new LAPS please?
In legacy LAPS emulation mode, the passwords are stored in the existing legacy LAPS attributes (ms-Mcs-AdmPwd, etc).
>>Is it possible, as in the current one, to delegate read password the authorization according to the OU ?
Yes. You would use the Set-LapsADReadPermission cmdlet - see PowerShell docs.
>>In the case of encryption, can different groups be set to different OU ?
Yes - the target encryption group is configurable via the ADPasswordEncryptionPrincipal policy - see policy docs.
>>Is there any way to remove the existing schema extension for AdmPwd ?
No way to remove those extensions AFAIK - but this is a long-standing AD limitation, not something specific to LAPS. AD does offer a "schema defunction" feature (see here), but honestly I would not be in any hurry to defunct the AdmPwd\legacy LAPS attributes.