Currently, you have to set LAPS at the OU level. In a large organization with upwards of 500 OUs across multiple domains, that is a daunting task. Allow it to be set at the Do main level will ease the burden on the staff for managing and maintaining this as we work through AD Consolidation.
4 Comments
- JaySimmons
Microsoft
Status changed:NewtoCompleted - JaySimmons
I've updated the documentation here...
Grant the managed device permission to update its password
...to include this tip:
Tip
If you prefer to set the inheritable permissions on the root of the domain, this is possible by specifying the entire domain root using DN syntax. For example, specify 'DC=laps,DC=com' for the -Identity parameter.
The online PowerShell cmdlet documentation update is also in-flight. Marking this feedback item as completed. Please PM offline if you have further feedback or questions.
Jay
- JaySimmons
Cvanheusen - I tested this and found that the various permission-setting cmdlets will work just fine at the domain level as long as you specify the domain NC by DN.
Example:
PS C:\Windows\System32> Set-LapsADComputerSelfPermission -Identity "DC=laps,DC=com"
Name DistinguishedName
---- -----------------
laps DC=laps,DC=comWhile it might be nice to be able to specify the domain by a short name, I think this is good enough for a cmdlet you are likely to only ever run once or twice? Lmk your feedback. If you agree with me that this is good enough, I'll add mention of this to the docs plus the PowerShell documentation examples.
thx,
Jay
- JaySimmons
Thanks Cvanheusen - I have logged a bug on this and will see what I can do :).
