I have an issue with LAPS, which is used to managed local admin passwords on domain computers. As per picture below, when i go to OU Workstations, and try to remove Read ms-Mcs-AdmPwd fro domain/Users, permission which is not inhereted, it automatically gets back after saving settings. Has anyone seen this issue?
why do you feel the need to modify this? why not just allow laps to manage it?
We had external security company do testing of security and they have managed to read all passwords, which is not a good thing :)
- Open Active Directory Users and Computers as an account with Domain Admin rights
- Right click on the OU in question and select Properties
- Click on the Security tab
- Click Advanced
- Select the user or group to modify permissions for
- Click Edit
- Uncheck the All extended rights box
Microsoft recommends that you make the change.