New LAPS permissions

53 views
Skip to first unread message

Mayo, Bill

unread,
Aug 20, 2025, 4:12:37 PMAug 20
to ntsys...@googlegroups.com

We are cutting over to new LAPS and I have run into a problem with permissions to read the password. I gave Domain Admins this permission to the root of the domain, and then gave a server admin group the same permission to the OU where the servers are. The issue I have is that a domain admin account can read the password, but the server admin account cannot. When I look at the permissions, I see that “Read msLAPS-PasswordExpirationTime”, “Read msLAPS-EncryptedPasswordHistory”, “Read msLAPS-Password, and “Read msLAPS-EncryptedPassword” permissions have been granted as I would expect, meaning that these permissions are shown for Domain Admins at the root, and these permissions are also shown for the server admin group at the servers OU. They are 4 different permissions listed, each with one of the attributes.

 

Reviewing Microsoft’s documentation on the command, I cannot see where there should be an issue for this. I was going to try removing the permissions at the domain root, but there is no PowerShell command and I am not super excited to remove them. I even went back and did the server permission again, using an array with both of the groups. This didn’t change anything.

 

When running the Get-LapsADPassword command, it shows the AuthorizedDecryptor as the Domain Admins group, and I am thinking that maybe my problem here is related to enabling encryption and there only being one group to read it. Assuming that is true, the solution would seem to be to create a group with everyone that needs to decrypt and then re-apply permissions for that (or don’t encrypt). Or *maybe* just tell it to update the password and maybe the next one will have the right encryption. But, I would like to remove the extraneous entries and wonder if there is a better way to do that through the GUI.

 

Bill Mayo

Mayo, Bill

unread,
Aug 20, 2025, 4:44:33 PMAug 20
to ntsys...@googlegroups.com

Ok, so going through AD to look at it seems to clarify that it is because my account cannot decrypt it. I did a reset and the server admin account still cannot decrypt, so it seems like I need to re-do things. Based on the below, anybody have a suggestion on the best way to clean this up?

 

Bill Mayo

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/cd5acd5f9a7f430dad79a85f193e890c%40pittcountync.gov.

Michael B. Smith

unread,
Aug 20, 2025, 5:13:43 PMAug 20
to ntsys...@googlegroups.com
Just delete them from wherever you added them 


From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Mayo, Bill <Bill...@pittcountync.gov>
Sent: Wednesday, August 20, 2025 4:44:26 PM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: [ntsysadmin] RE: New LAPS permissions
 

Michael Kurzdorfer

unread,
Aug 20, 2025, 6:26:35 PMAug 20
to ntsys...@googlegroups.com
This linkhas a good set of the GPO settings. https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings#apply-policy-settings

Assuming you had ADPasswordEncryptionEnabled, however, ADPasswordEncryptionPrincipal likely was not set. In this case, only Domain Admins would only be able to decrypt.

To correct, you will need to specify the AD Object (recommend a security group) and then expire the passwords. The next gprefesh will reset the password and re-encrypt allowing your server admins to access.

Recommended settings:
\MemberServers

AdministratorAccountName (only if you aren't targeting the -500), otherwise leave blank
PasswordAgeDays
PasswordLength
PassphraseLength
PasswordComplexity
PostAuthenticationResetDelay
PostAuthenticationActions
ADPasswordEncryptionEnabled - Yes
ADPasswordEncryptionPrincipal - create AD group. Include Domain Admin and Server Admins)
ADEncryptedPasswordHistorySize

\Workstations

AdministratorAccountName (only if you aren't targeting the -500), otherwise leave blank
PasswordAgeDays
PasswordLength
PassphraseLength
PasswordComplexity
PostAuthenticationResetDelay
PostAuthenticationActions
ADPasswordEncryptionEnabled - Yes
ADPasswordEncryptionPrincipal - create AD group. Include Domain Admin, Workstation Admins)
ADEncryptedPasswordHistorySize

There are additional msLAPS settings related to local account management that are great if you are running W11 24H2 or server 2025.

Markus Klocker

unread,
Aug 21, 2025, 4:03:52 AMAug 21
to ntsys...@googlegroups.com
Use the new LAPS PS cmdlets to set permissions.
A group is needed for stuff which should be able to read (one per OU if needed).

Markus

Michael Kurzdorfer

unread,
Aug 21, 2025, 8:26:02 AMAug 21
to ntsys...@googlegroups.com
This appears to be a configuration issue rather than a permission issue. If you enable msLAPS encryption, you need to specify which group or users can decrypt the password; otherwise, only the Domain Admin group will be able to do so.



Mayo, Bill

unread,
Aug 21, 2025, 9:51:55 AMAug 21
to ntsys...@googlegroups.com

Thank you. I obviously completely missed this. The guide I was following didn’t mention anything about encryption and I just enabled that feature without thinking about it. I believe this will solve my decryption problem.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Michael Kurzdorfer
Sent: Wednesday, August 20, 2025 6:26 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Re: New LAPS permissions

 

EXTERNAL EMAIL: This email originated from outside of Pitt County Government. Do not click any links or open any attachments unless you trust the sender and know the content is safe.

Reply all
Reply to author
Forward
0 new messages