Request to enable the assignment of decrypt permissions to multiple groups independently. Currently, we can assign the decrypt permission to only one group. In our case, this requires a unive...
JaySimmons
Microsoft
MicrosoftStatus changed:
New
to Not at this time
Hello Vico_Manolo -
Actually I considered this design option during initial development of Windows LAPS. Unfortunately, encrypting the password data against multiple SIDs causes the size of the encrypted data to bloat by a large factor. Allowing that to happen across large numbers of devices would obvious ly result in bloat of the AD database, and depending on other factors (pwd update frequency, eg) could also negatively impact AD replication performance. For these reasons this idea was rejected.
Jay