Installing Local Administrator Password Solution

I just downloaded LAPS (microsoft local administrator password solution) and I'm trying to install it, but I've run into a problem.
Here's the website if you want to check it out: https://www.microsoft.com/en-us/download/details.aspx?id=46899

So I'm looking at the operations guide, and I'm stuck on page 8. It's saying to remove all extended rights to groups I don't want to have it, but I know using ADSI Edit, I need to be careful or I can damage my AD.  
I've included a screenshot of my ADSIEDIT. How do I know which one I want to remove, if any that has extended rights?
How do I know it's just removing that attribute, as it didn't allow me to select which attribute I want to remove?
ADSIEDIT
Has anyone implemented this successfully?
DanNetwork EngineerAsked:
Who is Participating?
 
LearnctxEngineerCommented:
Sorry I never saw the email that another reply had come in. Yes you can manage which computers LAPS manages. This is done via GPO, so only apply the GPO at the OU levels you want to manage.

There is a useful series a third party has written on deploying LAPS which Microsoft has recommended people read through. Disclaimer though, as per Microsoft's post, this is a third party website and they can't control what happens with the content and how its changed in the future.

Part1: https://flamingkeys.com/2015/05/deploying-the-local-administrator-password-solution-part-1/
Part2: https://flamingkeys.com/2015/05/deploying-the-local-administrator-password-solution-part-2/
Part3: https://flamingkeys.com/2015/05/deploying-the-local-administrator-password-solution-part-3/

Also for useful info is the LAPS MSDN blog: http://blogs.msdn.com/b/laps/.
0
 
LearnctxEngineerCommented:
They're doing it through ADSI Edit but you could do this via ADUC (dsa.msc). You're just making an ACL change. The 2 options available are usually Allow extended rights Allow/Deny. So you will just be removing the allow. If you don't feel comfortable doing it in ADSI Edit then do it via ADUC.
0
 
DanNetwork EngineerAuthor Commented:
Got it, but on what accounts do I do it on?
If I do it on the entire folder, doesn't that remove the rights from every computer in that OU?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
LearnctxEngineerCommented:
Yes you would do it at an OU level and apply it to computer objects within that OU. You only remove the right from groups you do not want to see the password.
0
 
DanNetwork EngineerAuthor Commented:
So is there a way to pick and choose on which computers I want it on?
Also, basically, do I remove the right from everyone only domain admin, myself and any other admin that should have that ability?  Pretty much, the right should be removed from everyone, right?
0
 
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
0
 
LearnctxEngineerCommented:
A bit late with a reply but I believe every question they've asked has been answered thus far. The original question was to do with modifying object ACL's and the original question has been expanded on later.
0
 
DanNetwork EngineerAuthor Commented:
Thanks, this looks good.
0
 
DanNetwork EngineerAuthor Commented:
so I got stuck on part 2, #8
I entered the command, but I keep on getting this error message:
error
Any thoughts why this is happening?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.