Currently, you have to set LAPS at the OU level. In a large organization with upwards of 500 OUs across multiple domains, that is a daunting task. Allow it to be set at the Do main level will ease the burden on the staff for managing and maintaining this as we work through AD Consolidation.
- JaySimmonsMicrosoftStatus changed:NewtoCompleted
- JaySimmonsMicrosoft
Cvanheusen - I tested this and found that the various permission-setting cmdlets will work just fine at the domain level as long as you specify the domain NC by DN.
Example:
PS C:\Windows\System32> Set-LapsADComputerSelfPermission -Identity "DC=laps,DC=com"
Name DistinguishedName
---- -----------------
laps DC=laps,DC=comWhile it might be nice to be able to specify the domain by a short name, I think this is good enough for a cmdlet you are likely to only ever run once or twice? Lmk your feedback. If you agree with me that this is good enough, I'll add mention of this to the docs plus the PowerShell documentation examples.
thx,
Jay