MicrosoftJaySimmons care to shed some light on how the authorized password decryptors works?
I have posted this as a question on Serverfault as well: https://serverfault.com/questions/1144499/new-laps-authorized-password-decryptor-not-updating-permissions-as-expected
My observations are the following:
- Retroactively adding a user to the authorized password decryptor group immediately lets the user decrypt all current passwords + history
- Removing the same user from the authorized password decryptor group does not revoke that decryption permission, all current passwords + history can still be decrypted by that user
- After removing the user from the group, newly generated passwords can still be decrypted by that user (even after relog + reboot of all domain controllers in the forest). After a few days I generated a password again and only then it could not get decrypted anymore
This is all seems very intransparent to me, the Microsoft article of yours also does not go into much detail. Some clarification would be appreciated.
