New LAPS rights to execute Get-LapsADPassword

Copper Contributor

Hello,

I've implemented the new LAPS into my AD environment, and I am currently trying to give a few support users access to read computer LAPS passwords.

According to the documentation, the CLI command Set-LapsADReadPasswordPermission should grant the necessary permissions, but it only provides rights to a few LAPS-related properties, which is not enough. Users are trying to retrieve passwords via Get-LapsADPassword -Identity $computerName on their machines, and it only works when I give them full control of the OU, which is not an option.

Which properties should they be able to read to get this working? I cannot find this information in the documentation. Is there a way to determine which permissions are required for that CLI command?

0 Replies