Event details
JaySimmons
Microsoft
Microsoftrerhart sorry for that confusion. Not sure how that meme got started, but it is a complicated topic to explain.
Just to add on to Cliff's reply, you might also take a look at this topic:
Domain functional level and domain controller OS version requirements
...where I've tried to make the various tradeoffs clear.
thx,
Jay
Great, thanks Jay. So, I can successfully enable and configure the new Windows LAPS in my 2016 functional domain with 2016 Domain Controllers (and Windows 10 & 11 workstations), but I CANNOT: 1. Use DSRM with it. 2. Use new WIndows LAPS on any 2016 and older non-DC servers...(but can use the old Microsoft LAPS on those old servers.)
- JaySimmonsThat is correct - you got it.
- I think it is this section that trips me up in this link: https://learn.microsoft.com/windows-server/identity/laps/laps-scenarios-windows-server-active-directory#domain-functional-level-and-domain-controller-os-version-requirements Once your domain reaches 2016 DFL, you can enable Windows LAPS password encryption. However if you're still running any WS2016 DCs, those WS2016 DCs don't support Windows LAPS and therefore can't use the DSRM account management feature. ---"Those WS2016 DC's don't support Windows LAPS..." ?