This repository was archived by the owner on Aug 4, 2024. It is now read-only.

Configure LAPS service account permissions

Jump to bottom

Ryan Newington edited this page Feb 5, 2019 · 1 revision

Run the following commands to grant access for your LAPS service accounts to read and expire LAPS passwords

Grant permission to read the password

dsacls "<DN of OU>" /G "<DOMAIN>\<sAMAccountName>:CA;ms-Mcs-AdmPwd;computer" /I:S

Grant permission to expire the password

DSACLS "<DN of OU>" /G "<DOMAIN>\<sAMAccountName>:RPWP;ms-Mcs-AdmPwdExpirationTime;computer" /I:S