Comments on: How to configure Active directory for LAPS https://www.prajwaldesai.com/how-to-configure-active-directory-for-laps/ SCCM | ConfigMgr | Intune | Windows 11 | Azure Thu, 14 Jul 2022 15:10:40 +0000 hourly 1 https://wordpress.org/?v=6.4.1 By: anthony https://www.prajwaldesai.com/how-to-configure-active-directory-for-laps/#comment-38869 https://www.prajwaldesai.com/?p=13303#comment-38869 it anyone have problem import admpwd.ps1 in dc windows 2016?
Import-Module : The specified module ‘AdmPwd.PS1’ was not loaded because no valid module file was found in any module directory.
At line:1 char:1
+ Import-Module AdmPwd.PS1
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (AdmPwd.PS1:String) [Import-Module], FileNotFoundException
+ FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

]]>
By: Michael Sujka https://www.prajwaldesai.com/how-to-configure-active-directory-for-laps/#comment-33812 https://www.prajwaldesai.com/?p=13303#comment-33812 In reply to BaconBandit.

Hey,

It cobbled together a powershell script to do this through all OUs from a top OU container. The thought is I will now schedule this to run or just remember it and run it manually and it will set the Read permission. Hope it is helpful for someone.

# ERROR REPORTING ALL
Set-StrictMode -Version latest

#———————————————————-
# LOAD ASSEMBLIES AND MODULES
#———————————————————-
Try
{
Import-Module ActiveDirectory -ErrorAction Stop
}
Catch
{
Write-Host “[ERROR]`t AdmPwd.PS Module couldn’t be loaded. Script will stop!”
Exit 1
}

#———————————————————-
#START FUNCTIONS
#———————————————————-
Function Start-Commands
{
Add-Read-Permissions
}

Function Add-Read-Permissions
{
#Change the search criteria in Searchbase as needed
Get-ADOrganizationalUnit -filter * -Searchbase “OU=Computers,OU=subOUname,DC=Domain_name,DC=org” |
foreach {

try
{
Write-Host “OU Name:” $($_.DistinguishedName)
Set-AdmPwdReadPasswordPermission -Identity “$($_.DistinguishedName)” -AllowedPrincipals “IT-LAPS”
}
Catch { Write-Host “[ERROR]`t Error : $($_.Exception.Message)” }

}#End foreach

}#Closes Add-Read-Permissions

Write-Host “STARTED SCRIPT`r`n”
Start-Commands
Write-Host “STOPPED SCRIPT”

]]>
By: Carl https://www.prajwaldesai.com/how-to-configure-active-directory-for-laps/#comment-19056 https://www.prajwaldesai.com/?p=13303#comment-19056 I have several computers that are not registering LAPS passwords. They are in the same OUs as others that are and looking under Control Panel/Apps I can see LAPS installed.

Eliminating computers that have no LastLogon date, I have about 30 out of 220 that are not registering.

Any thoughts on what to try? Thanks

I audit enrollment with the PowerShell
Get-ADComputer -Filter {Enabled -EQ $True} -Properties * | sort-object -property Name | Select-Object Name,OperatingSystem,ms-Mcs-AdmPwd, @{Name=”ms-mcs-admpwdexpirationtime”;Expression={$([datetime]::FromFileTime([convert]::ToInt64($_.”ms-MCS-AdmPwdExpirationTime”,10)))}} , @{Name=”Last Logon”;Expression={$([datetime]::FromFileTime([convert]::ToInt64($_.”LastLogon”,10)))}} | ConvertTo-Csv -Delimiter “,” -NoTypeInformation | Out-File $CSVFile -Encoding ASCII

]]>
By: BaconBandit https://www.prajwaldesai.com/how-to-configure-active-directory-for-laps/#comment-16313 https://www.prajwaldesai.com/?p=13303#comment-16313 In reply to David Taylor.

An important note, Set-AdmPwdCOmputerSelfPermission does automagically apply to sub-OUs. Set-AdmPwdReadPasswordPermission cmdlet does not apply permissions to sub-OUs. Each sub-OU requires you explicitly set read/reset permissions separately.

I think I get why, but it’s a pain to remember later.

]]>
By: Caleb https://www.prajwaldesai.com/how-to-configure-active-directory-for-laps/#comment-16114 https://www.prajwaldesai.com/?p=13303#comment-16114 Do you know what could be the reason update-admpwdadschema fails to perform the 3rd step

error is
Operation AddschemaAttributes Success
Operation AddschemaAttributes Success
Operation Update-AwdPWdAdSchema Failed

Update-AdmPwdADSchema : The requested attribute does not exist.
At line:1 char:1
+ Update-AdmPwdADSchema

]]>
By: Matthew https://www.prajwaldesai.com/how-to-configure-active-directory-for-laps/#comment-15765 https://www.prajwaldesai.com/?p=13303#comment-15765 In reply to Matthew.

I found out what the issue was. Apparently, the cmdlet only accepts the sAMAccountName of the group which to delegate permissions, and not the common name or display name, nor the PowerShell object when storing the results of the get-adgroup cmdlets to a variable.

]]>
By: Matthew https://www.prajwaldesai.com/how-to-configure-active-directory-for-laps/#comment-15757 https://www.prajwaldesai.com/?p=13303#comment-15757 Has anyone ever encountered an error with the Set-AdmPwdReadPasswordPermission cmdlet where “the trust relationship between the primary domain and the trusted domain failed”? I can confirm that the trust relationship between the LAPS management server, AD/DS, and clients are valid, as the execution of the Test-ComputerSecureChannel returns as True.

]]>
By: Geh Kah https://www.prajwaldesai.com/how-to-configure-active-directory-for-laps/#comment-13018 https://www.prajwaldesai.com/?p=13303#comment-13018 Thank you for providing an easy manual how to implement LAPS into our forest. Like a Sir! Best Regards from Switzerland

]]>
By: Colin Cogle https://www.prajwaldesai.com/how-to-configure-active-directory-for-laps/#comment-10973 https://www.prajwaldesai.com/?p=13303#comment-10973 In a default installation of Active Directory Domain Services, would there be any side effect to removing users’ “All extended rights” to an OU or a computer object?

]]>
By: David Taylor https://www.prajwaldesai.com/how-to-configure-active-directory-for-laps/#comment-10634 https://www.prajwaldesai.com/?p=13303#comment-10634 Hameedullah,
Due to the default inheritance model, all subordinate containers (including OUs) will inherit the permission set using Set-AdmPwdComputerSelfPermission. This can be seen in the LAPS_TechnicalSpecification, as item 6.2.2. The specification document can be downloaded from Microsoft at the same location as the LAPS installer.

]]>