Access Template for Microsoft LAPS - I have seen a template to grant reader to the ms-Mcs-AdmPwdattributes in ARS, but not a template to Grant Self (the computer account) access to write to the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd.

The requirement is for the computer accounts to have native rights in AD not in Active Roles.  A computer out on the network isn't going to be updating this password through Active Roles.

Thank you for your quick reply!  Isn't that what Sync to Native Security does?  I thought I could just check that box in the template link and it would sync to AD.

The purpose of the sync to native security is to effectively copy the delegated permissions you have setup in Active Roles to Active Directory which in most cases, is NOT desirable.  Why?  Because the point of Active Roles is to force users to use Active Roles for AD object management.  If you copy the security over, you are opening the door for them to use native tools again.

I suppose for this specific use case, where the computer accounts will never actually be using Active Roles anyway, it's "safe" to use the Sync to Native Security feature as a means to an end.  I would just once again caution you not to use this feature for "regular" delegations of rights to users to perform AD object management activities.

I agree with your assessment of Sync, that it should not be used most of the time.  The real question is I tried what we are discussing and it did not work.  So, if it should work and did not, what did I do wrong.  How do I get you screenshots of my template or upload the XML to you?

You should be able to embed screenshots here.  Do you not have an "Insert" command available when editing your posts?  You can use that to add inline images.

Does the service account running Active Roles itself (or if configured, the account set on the Managed Domain) actually have the permissions to modify AD object ACLs?  i.e. have you been able to "push" any AD object ACL ACEs over?

Does the service account running Active Roles itself (or if configured, the account set on the Managed Domain) actually have the permissions to modify AD object ACLs?  i.e. have you been able to "push" any AD object ACL ACEs over?

The ARS service account has domain admin, so it should have the rights to do this.  I will try to Sync something simple and see if any Sync works.  

I think you hit on the answer, the service account has domain admin in all our domains, but the domain I started in is special, it has an extra layer of security from Centrify and I bet it is what is blocking the sync.  I will verify in one of the other domains.  Thank You!  Oh, and I can not insert screenshots in this box or attach files.  Insert lets me point to a graphic on the web or a file posted somewhere else on this forum.