Allow LAPS to be ran at the Domain Level

Allow LAPS to be ran at the Domain Level



 May 23 2023
4 Comments (4 New)

Currently, you have to set LAPS at the OU level.  In a large organization with upwards of 500 OUs across multiple domains, that is a daunting task.  Allow it to be set at the Do main level will ease the burden on the staff for managing and maintaining this as we work through AD Consolidation.


Thanks @Cvanheusen - I have logged a bug on this and will see what I can do :).


@Cvanheusen - I tested this and found that the various permission-setting cmdlets will work just fine at the domain level as long as you specify the domain NC by DN.




PS C:\Windows\System32> Set-LapsADComputerSelfPermission -Identity "DC=laps,DC=com"

Name DistinguishedName
---- -----------------
laps DC=laps,DC=com


While it might be nice to be able to specify the domain by a short name, I think this is good enough for a cmdlet you are likely to only ever run once or twice?   Lmk your feedback.  If you agree with me that this is good enough, I'll add mention of this to the docs plus the PowerShell documentation examples.





@Cvanheusen ,


I've updated the documentation here...


Grant the managed device permission to update its password include this tip:



If you prefer to set the inheritable permissions on the root of the domain, this is possible by specifying the entire domain root using DN syntax. For example, specify 'DC=laps,DC=com' for the -Identity parameter.


The online PowerShell cmdlet documentation update is also in-flight.   Marking this feedback item as completed. Please PM offline if you have further feedback or questions.



Status changed to: Completed