Jul 09 2024 07:15 AM
Hello,
I've implemented the new LAPS into my AD environment, and I am currently trying to give a few support users access to read computer LAPS passwords.
According to the documentation, the CLI command Set-LapsADReadPasswordPermission should grant the necessary permissions, but it only provides rights to a few LAPS-related properties, which is not enough. Users are trying to retrieve passwords via Get-LapsADPassword -Identity $computerName on their machines, and it only works when I give them full control of the OU, which is not an option.
Which properties should they be able to read to get this working? I cannot find this information in the documentation. Is there a way to determine which permissions are required for that CLI command?