• State Verified Answer
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 4034 views
  • Users 0 members are here
Options
Related

Access Template for Microsoft LAPS - I have seen a template to grant reader to the ms-Mcs-AdmPwdattributes in ARS, but not a template to Grant Self (the computer account) access to write to the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd.

lstafford
over 3 years ago

I tried to create an access template for granting self write access to the ms-Mcs-AdmPwd attributes and it seemed to do nothing.  I had to manually set the rights using powershell.  It would be so much easier to do this with an ARS Access Template.  This is from the Microsoft LAPS technical documentation:  

  • Adding Machine Rights

The Write permission on the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes of all computer accounts has to be added to the SELF built-in account. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password.  This is done using PowerShell.  You may need to run Import-module AdmPwd.PS if <name of the OU to delegate permissions>

Repeat this procedure for any additional OUs that contain computer accounts that are in scope of the solution and are not subcontainers of already processed containers

I created a template that set Allow  Write ms-Mcs-AdmPwd  Apply to Computer  Trustee NT Authority\Self     Directory Object of the OU with Servers that I wanted LAPS installed on.  

What did I do wrong?

Parents Reply Children
  • 0 over 3 years ago in reply to lstafford

    The purpose of the sync to native security is to effectively copy the delegated permissions you have setup in Active Roles to Active Directory which in most cases, is NOT desirable.  Why?  Because the point of Active Roles is to force users to use Active Roles for AD object management.  If you copy the security over, you are opening the door for them to use native tools again.

    I suppose for this specific use case, where the computer accounts will never actually be using Active Roles anyway, it's "safe" to use the Sync to Native Security feature as a means to an end.  I would just once again caution you not to use this feature for "regular" delegations of rights to users to perform AD object management activities.

  • 0 over 3 years ago in reply to JohnnyQuest

    I agree with your assessment of Sync, that it should not be used most of the time.  The real question is I tried what we are discussing and it did not work.  So, if it should work and did not, what did I do wrong.  How do I get you screenshots of my template or upload the XML to you?

  • 0 over 3 years ago in reply to lstafford

    You should be able to embed screenshots here.  Do you not have an "Insert" command available when editing your posts?  You can use that to add inline images.

  • +1 over 3 years ago in reply to lstafford

    Does the service account running Active Roles itself (or if configured, the account set on the Managed Domain) actually have the permissions to modify AD object ACLs?  i.e. have you been able to "push" any AD object ACL ACEs over?

  • 0 over 3 years ago in reply to JohnnyQuest

    The ARS service account has domain admin, so it should have the rights to do this.  I will try to Sync something simple and see if any Sync works.  

  • 0 over 3 years ago in reply to lstafford

    I think you hit on the answer, the service account has domain admin in all our domains, but the domain I started in is special, it has an extra layer of security from Centrify and I bet it is what is blocking the sync.  I will verify in one of the other domains.  Thank You!  Oh, and I can not insert screenshots in this box or attach files.  Insert lets me point to a graphic on the web or a file posted somewhere else on this forum.  

  • 0 over 3 years ago in reply to JohnnyQuest

    I tried to copy a screenshot into this box and it fails.  Insert lets me copy another file posted on this forum or a picture from a web URL.