We are cutting over to new LAPS and I have run into a problem with permissions to read the password. I gave Domain Admins this permission to the root of the domain, and then gave a server admin group the same permission to the OU where the servers are. The issue I have is that a domain admin account can read the password, but the server admin account cannot. When I look at the permissions, I see that “Read msLAPS-PasswordExpirationTime”, “Read msLAPS-EncryptedPasswordHistory”, “Read msLAPS-Password, and “Read msLAPS-EncryptedPassword” permissions have been granted as I would expect, meaning that these permissions are shown for Domain Admins at the root, and these permissions are also shown for the server admin group at the servers OU. They are 4 different permissions listed, each with one of the attributes.
Reviewing Microsoft’s documentation on the command, I cannot see where there should be an issue for this. I was going to try removing the permissions at the domain root, but there is no PowerShell command and I am not super excited to remove them. I even went back and did the server permission again, using an array with both of the groups. This didn’t change anything.
When running the Get-LapsADPassword command, it shows the AuthorizedDecryptor as the Domain Admins group, and I am thinking that maybe my problem here is related to enabling encryption and there only being one group to read it. Assuming that is true, the solution would seem to be to create a group with everyone that needs to decrypt and then re-apply permissions for that (or don’t encrypt). Or *maybe* just tell it to update the password and maybe the next one will have the right encryption. But, I would like to remove the extraneous entries and wonder if there is a better way to do that through the GUI.
Bill Mayo
Ok, so going through AD to look at it seems to clarify that it is because my account cannot decrypt it. I did a reset and the server admin account still cannot decrypt, so it seems like I need to re-do things. Based on the below, anybody have a suggestion on the best way to clean this up?
Bill Mayo
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/ntsysadmin/cd5acd5f9a7f430dad79a85f193e890c%40pittcountync.gov.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/cdd2133c450444fb9b06dbac53567596%40pittcountync.gov.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/f127dffc-a18c-4b84-a5f0-a757d0ec13ec%40univie.ac.at.
Thank you. I obviously completely missed this. The guide I was following didn’t mention anything about encryption and I just enabled that feature without thinking about it. I believe this will solve my decryption problem.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Michael Kurzdorfer
Sent: Wednesday, August 20, 2025 6:26 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Re: New LAPS permissions
EXTERNAL EMAIL: This email originated from outside of Pitt County Government. Do not click any links or open any attachments unless you trust the sender and know the content is safe. |
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BZZigb8MGaXGEzjCq3RVp%2BpVT2YRqieTV6KziXdM4reMs%2Boww%40mail.gmail.com.