Enabling LAPS on Exchange Servers

Copper Contributor

I have three Exchange 2016 Servers in our on-prem AD environment, and have been in the process of deploying LAPS across our organisation's members servers.

 

Unfortunately, I've been unable to get LAPS to work properly on our Exchange Servers. Or more accurately, I've been unable to get the AD Computer objects, which represent our Exchange Servers, to inherit permissions from their parent OUs. The outcome of this, is that members of our "LAPS Password Readers" security group cannot read the LAPS password stored in AD.

 

Attempts to Mitigate

  1. I've gone into the Computer Object representing say MX1. In Security > Advanced, clicked Enable Inheritance. Then it works fine for a short amount of time, before Inheritance is disabled again.
  2. I've manually added the Read permission for the ms-Mcs-AdmPwd attribute on the specific MX1 Computer Object. Doesn't work at all, the permission gets wiped straight away.

 

Of course, I've done a bit of research, but have found little evidence to show other people suffering from this same issue. In fact, Reddit users with on-prem Exchange and LAPS users don't appear to have any issues at all.

 

My research into the issue of non-inheritable AD permissions points me towards stuff regarding highly privileged / protected accounts, an adminCount attribute in AD, and SDPROP.

 

All of my Exchange Servers have an adminCount attribute of 1, which I think is because they are indirectly members of BUILTIN\Administrators, through membership of the 'Exchange Trusted Subsystem' group. That is, each server is a member of 'Exchange Trusted Subsystem', and 'Exchange Trusted Subsystem' is a member of BUILTIN\Administrators.

 

A Microsoft Appendix about Protected Accounts & Groups in Active Directory mentions the AdminSDHolder object, which provides the template permissions applied to protected AD objects.

 

Should I add my LAPS Password Readers" security group to the AdminSDHolder object, giving it the necessary permissions to get LAPS working? I'm surprised I've not found any official guidance in the LAPS documents or elsewhere about this tbh... Any advice would be appreciated!

 

Thanks,

Alex

1 Reply

Further to this, I've tried giving the necessary permissions to the AdminSDHolder object. Frustratingly, this doesn't work either, for the reasons given below..

 

The LAPS guide states to use PowerShell commands, e.g.:-

 

Set-AdmPwdResetPasswordPermission -OrgUnit "CN=AdminSDHolder,CN=System,DC=contoso,DC=com" -AllowedPrincipals "contoso\LAPS Password Readers"

 

This command gives Write Permissions to the ms-Mcs-AdmPwd attribute, on only Descendant Computer objects. So, when the AdminSDHolder permissions are copied to MX1, it doesn't give the Permission to MX1 itself, but its children, which it doesn't have of course.

 

Okay, so I've tried changing Applies To 'Descendant Computer Objects' to 'This Object only' and 'This Object and All Descendants'. When I do that and Apply the Permission changes, the Permission disappears. Why? Because the Active Directory Schema doesn't give Container objects the ms-Mcs-AdmPwd (and related) attributes. I can't manually add the permission at all, because the schema doesn't allow it...

 

Manual modification of the Active Directory schema doesn't seem preferable, but I can't see any other options... Suggestions welcome!

 

Kind regards,

Alex