New LAPS rights to execute Get-LapsADPassword
Hello, I've implemented the new LAPS into my AD environment, and I am currently trying to give a few support users access to read computer LAPS passwords. According to the documentation, the CLI command Set-LapsADReadPasswordPermission should grant the necessary permissions, but it only provides rights to a few LAPS-related properties, which is not enough. Users are trying to retrieve passwords via Get-LapsADPassword -Identity $computerName on their machines, and it only works when I give them full control of the OU, which is not an option. Which properties should they be able to read to get this working? I cannot find this information in the documentation. Is there a way to determine which permissions are required for that CLI command?[On demand] The latest and greatest in the world of Windows LAPS
Windows LAPS continues to evolve. Find out what's new - from automatic account management and passphrases to disaster recovery and bug fixes. Watch The latest and greatest in the world of Windows LAPS – now on demand – and join the conversation at https://aka.ms/LatestInLAPS. To help you learn more, here are the links referenced in the session: Automatic account management demo Passphrase support demo Rollback detection demo Password recovery demo What is Windows LAPS? Windows LAPS feedback For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.
