• State Verified Answer
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 4043 views
  • Users 0 members are here
Options
Related

Access Template for Microsoft LAPS - I have seen a template to grant reader to the ms-Mcs-AdmPwdattributes in ARS, but not a template to Grant Self (the computer account) access to write to the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd.

lstafford
over 3 years ago

I tried to create an access template for granting self write access to the ms-Mcs-AdmPwd attributes and it seemed to do nothing.  I had to manually set the rights using powershell.  It would be so much easier to do this with an ARS Access Template.  This is from the Microsoft LAPS technical documentation:  

  • Adding Machine Rights

The Write permission on the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes of all computer accounts has to be added to the SELF built-in account. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password.  This is done using PowerShell.  You may need to run Import-module AdmPwd.PS if <name of the OU to delegate permissions>

Repeat this procedure for any additional OUs that contain computer accounts that are in scope of the solution and are not subcontainers of already processed containers

I created a template that set Allow  Write ms-Mcs-AdmPwd  Apply to Computer  Trustee NT Authority\Self     Directory Object of the OU with Servers that I wanted LAPS installed on.  

What did I do wrong?

Parents
  • 0 over 3 years ago

    The requirement is for the computer accounts to have native rights in AD not in Active Roles.  A computer out on the network isn't going to be updating this password through Active Roles.


  • 0 over 3 years ago in reply to JohnnyQuest

    Thank you for your quick reply!  Isn't that what Sync to Native Security does?  I thought I could just check that box in the template link and it would sync to AD.

  • 0 over 3 years ago in reply to lstafford

    The purpose of the sync to native security is to effectively copy the delegated permissions you have setup in Active Roles to Active Directory which in most cases, is NOT desirable.  Why?  Because the point of Active Roles is to force users to use Active Roles for AD object management.  If you copy the security over, you are opening the door for them to use native tools again.

    I suppose for this specific use case, where the computer accounts will never actually be using Active Roles anyway, it's "safe" to use the Sync to Native Security feature as a means to an end.  I would just once again caution you not to use this feature for "regular" delegations of rights to users to perform AD object management activities.

  • 0 over 3 years ago in reply to JohnnyQuest

    I agree with your assessment of Sync, that it should not be used most of the time.  The real question is I tried what we are discussing and it did not work.  So, if it should work and did not, what did I do wrong.  How do I get you screenshots of my template or upload the XML to you?

Reply Children