Comments on: How to configure Active directory for LAPS

By: anthony

anthony

it anyone have problem import admpwd.ps1 in dc windows 2016?
Import-Module : The specified module ‘AdmPwd.PS1’ was not loaded because no valid module file was found in any module directory.
At line:1 char:1
+ Import-Module AdmPwd.PS1
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (AdmPwd.PS1:String) [Import-Module], FileNotFoundException
+ FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

By: Michael Sujka

Michael Sujka

In reply to BaconBandit.

Hey,

It cobbled together a powershell script to do this through all OUs from a top OU container. The thought is I will now schedule this to run or just remember it and run it manually and it will set the Read permission. Hope it is helpful for someone.

# ERROR REPORTING ALL
Set-StrictMode -Version latest

#———————————————————-
# LOAD ASSEMBLIES AND MODULES
#———————————————————-
Try
{
Import-Module ActiveDirectory -ErrorAction Stop
}
Catch
{
Write-Host “[ERROR]`t AdmPwd.PS Module couldn’t be loaded. Script will stop!”
Exit 1
}

#———————————————————-
#START FUNCTIONS
#———————————————————-
Function Start-Commands
{
Add-Read-Permissions
}

Function Add-Read-Permissions
{
#Change the search criteria in Searchbase as needed
Get-ADOrganizationalUnit -filter * -Searchbase “OU=Computers,OU=subOUname,DC=Domain_name,DC=org” |
foreach {

try
{
Write-Host “OU Name:” $($_.DistinguishedName)
Set-AdmPwdReadPasswordPermission -Identity “$($_.DistinguishedName)” -AllowedPrincipals “IT-LAPS”
}
Catch { Write-Host “[ERROR]`t Error : $($_.Exception.Message)” }

}#End foreach

}#Closes Add-Read-Permissions

Write-Host “STARTED SCRIPT`r`n”
Start-Commands
Write-Host “STOPPED SCRIPT”

By: Carl

Carl

I have several computers that are not registering LAPS passwords. They are in the same OUs as others that are and looking under Control Panel/Apps I can see LAPS installed.

Eliminating computers that have no LastLogon date, I have about 30 out of 220 that are not registering.

Any thoughts on what to try? Thanks

I audit enrollment with the PowerShell
Get-ADComputer -Filter {Enabled -EQ $True} -Properties * | sort-object -property Name | Select-Object Name,OperatingSystem,ms-Mcs-AdmPwd, @{Name=”ms-mcs-admpwdexpirationtime”;Expression={$([datetime]::FromFileTime([convert]::ToInt64($_.”ms-MCS-AdmPwdExpirationTime”,10)))}} , @{Name=”Last Logon”;Expression={$([datetime]::FromFileTime([convert]::ToInt64($_.”LastLogon”,10)))}} | ConvertTo-Csv -Delimiter “,” -NoTypeInformation | Out-File $CSVFile -Encoding ASCII

By: BaconBandit

BaconBandit

In reply to David Taylor. An important note, Set-AdmPwdCOmputerSelfPermission does automagically apply to sub-OUs. Set-AdmPwdReadPasswordPermission cmdlet does not apply permissions to sub-OUs. Each sub-OU requires you explicitly set read/reset permissions separately. I think I get why, but it's a pain to remember later.

By: Caleb

Caleb

Do you know what could be the reason update-admpwdadschema fails to perform the 3rd step

error is
Operation AddschemaAttributes Success
Operation AddschemaAttributes Success
Operation Update-AwdPWdAdSchema Failed

Update-AdmPwdADSchema : The requested attribute does not exist.
At line:1 char:1
+ Update-AdmPwdADSchema

By: Matthew

Matthew

In reply to Matthew. I found out what the issue was. Apparently, the cmdlet only accepts the sAMAccountName of the group which to delegate permissions, and not the common name or display name, nor the PowerShell object when storing the results of the get-adgroup cmdlets to a variable.

By: Matthew

Matthew

Has anyone ever encountered an error with the Set-AdmPwdReadPasswordPermission cmdlet where “the trust relationship between the primary domain and the trusted domain failed”? I can confirm that the trust relationship between the LAPS management server, AD/DS, and clients are valid, as the execution of the Test-ComputerSecureChannel returns as True.

By: Geh Kah

Geh Kah

Thank you for providing an easy manual how to implement LAPS into our forest. Like a Sir! Best Regards from Switzerland

By: Colin Cogle

Colin Cogle

In a default installation of Active Directory Domain Services, would there be any side effect to removing users’ “All extended rights” to an OU or a computer object?

By: David Taylor

David Taylor

Hameedullah,
Due to the default inheritance model, all subordinate containers (including OUs) will inherit the permission set using Set-AdmPwdComputerSelfPermission. This can be seen in the LAPS_TechnicalSpecification, as item 6.2.2. The specification document can be downloaded from Microsoft at the same location as the LAPS installer.