Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Allow LAPS to be ran at the Domain Level

Allow LAPS to be ran at the Domain Level
0

Upvotes

Upvote

 May 23 2023
4 Comments (4 New)
Completed

Currently, you have to set LAPS at the OU level.  In a large organization with upwards of 500 OUs across multiple domains, that is a daunting task.  Allow it to be set at the Do main level will ease the burden on the staff for managing and maintaining this as we work through AD Consolidation.

Comments
Microsoft

Thanks @Cvanheusen - I have logged a bug on this and will see what I can do :).

Microsoft

@Cvanheusen - I tested this and found that the various permission-setting cmdlets will work just fine at the domain level as long as you specify the domain NC by DN.

 

Example:

 

PS C:\Windows\System32> Set-LapsADComputerSelfPermission -Identity "DC=laps,DC=com"

Name DistinguishedName
---- -----------------
laps DC=laps,DC=com

 

While it might be nice to be able to specify the domain by a short name, I think this is good enough for a cmdlet you are likely to only ever run once or twice?   Lmk your feedback.  If you agree with me that this is good enough, I'll add mention of this to the docs plus the PowerShell documentation examples.

 

thx,

Jay

Microsoft

@Cvanheusen ,

 

I've updated the documentation here...

 

Grant the managed device permission to update its password

 

...to include this tip:

 

 Tip

If you prefer to set the inheritable permissions on the root of the domain, this is possible by specifying the entire domain root using DN syntax. For example, specify 'DC=laps,DC=com' for the -Identity parameter.

 

The online PowerShell cmdlet documentation update is also in-flight.   Marking this feedback item as completed. Please PM offline if you have further feedback or questions.

 

Jay

Microsoft
Status changed to: Completed