Link to home
Start Free TrialLog in
Avatar of Ivan
IvanFlag for Serbia

asked on

Microsoft LAPS

Dear all,

I have an issue with LAPS, which is used to managed local admin passwords on domain computers. As per picture below, when i go to OU Workstations, and try to remove Read ms-Mcs-AdmPwd fro domain/Users, permission which is not inhereted, it automatically gets back after saving settings. Has anyone seen this issue?

User generated image

Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

why do you feel the need to modify this?  why not just allow laps to manage it?

Avatar of Ivan


This permission allows any domain user, who has AD tools installed on computer to do a query and see, in plain text, passwords for each local admin account on all domain computers. There is special group for admins, but top level OU (called Workstations), in which all other OU for computers are, has this settings, so it is getting propagated. In LAPS documentations there is info to remove "extendend rights", which Users dont have, but there is also info that if users can join computer do a domain (they can by default), then you will have this issue. We have removed this option for users, but permission has left.

We had external security company do testing of security and they have managed to read all passwords, which is not a good thing :)
Avatar of Ivan


That permission, assigned to domain\users is Special

User generated image
  1. Open Active Directory Users and Computers as an account with Domain Admin rights
  2. Right click on the OU in question and select Properties
  3. Click on the Security tab
  4. Click Advanced
  5. Select the user or group to modify permissions for
  6. Click Edit
  7. Uncheck the All extended rights box
Avatar of Ivan


Hi David,

I have checked that and domain\Users group does not have that ticked. I found post on some forum, about some guy with same issue, but with no resolution :)
As usual, MS documentation is not great :P

User generated image
Since it was brought up, you can and should disable regular domain users from being able to join a device to the domain.

Microsoft recommends that you make the change.
Avatar of Ivan
Flag of Serbia image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial