Delegate LAPS Administration

LAPS Administration KB ID 0001834

Problem

I saw this asked on a forum this morning and, went to test the answer (and create an article if successful), to find out the posted answer and most of the info I found online was for Microsoft LAPS and not the newer Windows LAPS.

Windows LAPS

Laps Administration

Let’s say we have an OU called Computers (with my computers in) and I want to grant read permissions to LAPS password to a security group called LAPS-Password-Admins.

The under the older, Microsoft LAPS system we would use the following PowerShell syntax.

[box]

Set-AdmPwdReadPasswordPermission -Identity 'OU=Computers,OU=PNL,DC=pnl,DC=com' -AllowedPrincipals "pnl.com\LDAP-Password-Admins"

[/box]

Try that on a Widows LAPS deployment, and you will get the following error.

Set-AdmPwdReadPasswordPermission : The term ‘Set-AdmPwdReadPasswordPermission’ is not recognized as the name of a
cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.

Because if you’re using Windows LAPS then that commandlet has been replaced, you need to use the following syntax instead.

[box]

Set-LapsADReadPasswordPermission -Identity 'OU=Computers,OU=PNL,DC=pnl,DC=com' -AllowedPrincipals "pnl.com\LDAP-Password-Admins"

[/box]

Related Articles, References, Credits, or External Links

NA