Installing Local Administrator Password Solution

I just downloaded LAPS (microsoft local administrator password solution) and I'm trying to install it, but I've run into a problem.
Here's the website if you want to check it out: https://www.microsoft.com/en-us/download/details.aspx?id=46899

So I'm looking at the operations guide, and I'm stuck on page 8. It's saying to remove all extended rights to groups I don't want to have it, but I know using ADSI Edit, I need to be careful or I can damage my AD.  
I've included a screenshot of my ADSIEDIT. How do I know which one I want to remove, if any that has extended rights?
How do I know it's just removing that attribute, as it didn't allow me to select which attribute I want to remove?
ADSIEDIT
Has anyone implemented this successfully?
DanNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
They're doing it through ADSI Edit but you could do this via ADUC (dsa.msc). You're just making an ACL change. The 2 options available are usually Allow extended rights Allow/Deny. So you will just be removing the allow. If you don't feel comfortable doing it in ADSI Edit then do it via ADUC.
0
DanNetwork EngineerAuthor Commented:
Got it, but on what accounts do I do it on?
If I do it on the entire folder, doesn't that remove the rights from every computer in that OU?
0
LearnctxEngineerCommented:
Yes you would do it at an OU level and apply it to computer objects within that OU. You only remove the right from groups you do not want to see the password.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

DanNetwork EngineerAuthor Commented:
So is there a way to pick and choose on which computers I want it on?
Also, basically, do I remove the right from everyone only domain admin, myself and any other admin that should have that ability?  Pretty much, the right should be removed from everyone, right?
0
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
0
LearnctxEngineerCommented:
Sorry I never saw the email that another reply had come in. Yes you can manage which computers LAPS manages. This is done via GPO, so only apply the GPO at the OU levels you want to manage.

There is a useful series a third party has written on deploying LAPS which Microsoft has recommended people read through. Disclaimer though, as per Microsoft's post, this is a third party website and they can't control what happens with the content and how its changed in the future.

Part1: https://flamingkeys.com/2015/05/deploying-the-local-administrator-password-solution-part-1/
Part2: https://flamingkeys.com/2015/05/deploying-the-local-administrator-password-solution-part-2/
Part3: https://flamingkeys.com/2015/05/deploying-the-local-administrator-password-solution-part-3/

Also for useful info is the LAPS MSDN blog: http://blogs.msdn.com/b/laps/.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LearnctxEngineerCommented:
A bit late with a reply but I believe every question they've asked has been answered thus far. The original question was to do with modifying object ACL's and the original question has been expanded on later.
0
DanNetwork EngineerAuthor Commented:
Thanks, this looks good.
0
DanNetwork EngineerAuthor Commented:
so I got stuck on part 2, #8
I entered the command, but I keep on getting this error message:
error
Any thoughts why this is happening?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.