MicrosoftI have a question regarding Windows LAPS, more precisely about password reading permissions and changing the password expiration date.
I always use the AGDLP concept to create groups and permissions.
Account > Group Global > Domain Local > Permission
Run the Set-LapsADReadPasswordPermission and Set-LapsADReadPasswordPermission commands by placing the Domain Local groups. Enabled cryptographic password.
User Carlos was added to groups G-G-LAPS-READ-PASSWORD and G-G-LAPS-RESET-PASSWORD
The G-G-LAPS-READ-PASSWORD and G-G-LAPS-RESET-PASSWORD groups are members of the respective G-DL-LAPS-READ-PASSWORD and G-DL-LAPS-RESET-PASSWORD groups
User Carlos is also part of the G-DL-LAPS-DECRYPTORS-PASSWORD group, configured in the Configure authorized password decryptors GPO.
Test user Carlos has read password and change permission to perform a Windows LAPS password reset, but an error is occurring when trying to change the password expiration date.
If you add the user Carlos to the Domain Admins group, the error does not occur.
Can I use the AGDLP concept in Windows LAPS?
