Forum Discussion

bps's avatar
bps
Copper Contributor
Feb 01, 2023

Enabling LAPS on Exchange Servers

I have three Exchange 2016 Servers in our on-prem AD environment, and have been in the process of deploying LAPS across our organisation's members servers.   Unfortunately, I've been unable to get ...
Active Directory
exchange 2016
laps
security
windows server
bps's avatar
bps
Copper Contributor
Feb 01, 2023

Further to this, I've tried giving the necessary permissions to the AdminSDHolder object. Frustratingly, this doesn't work either, for the reasons given below..

 

The LAPS guide states to use PowerShell commands, e.g.:-

 

Set-AdmPwdResetPasswordPermission -OrgUnit "CN=AdminSDHolder,CN=System,DC=contoso,DC=com" -AllowedPrincipals "contoso\LAPS Password Readers"

 

This command gives Write Permissions to the ms-Mcs-AdmPwd attribute, on only Descendant Computer objects. So, when the AdminSDHolder permissions are copied to MX1, it doesn't give the Permission to MX1 itself, but its children, which it doesn't have of course.

 

Okay, so I've tried changing Applies To 'Descendant Computer Objects' to 'This Object only' and 'This Object and All Descendants'. When I do that and Apply the Permission changes, the Permission disappears. Why? Because the Active Directory Schema doesn't give Container objects the ms-Mcs-AdmPwd (and related) attributes. I can't manually add the permission at all, because the schema doesn't allow it...

 

Manual modification of the Active Directory schema doesn't seem preferable, but I can't see any other options... Suggestions welcome!

 

Kind regards,

Alex

Resources