May 2019
Intermediate to advanced
620 pages
21h 41m
English
Content preview from Active Directory Administration Cookbook
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Setting permissions
Next, we need to set permissions in Active Directory to enable devices to write to the new mS-MCS-AdmPwd and mS-MCS-AdmPwdExpirationTime attributes. Follow these steps:
- Sign into the domain controller or Windows Server-based management server that has LAPS installed with an account that is a member of the Domain Admins group, or is delegated Full Control over the OU containing the devices in scope for LAPS (and its child OUs).
Open an elevated PowerShell window and type the following two lines of PowerShell to import the LAPS PowerShell module, and then to set the permissions on the OU with devices:
Import-Module AdmPwd.PSSet-AdmPwdComputerSelfPermission -OrgUnit "OU ShortName"
Do not run the preceding PowerShell command ...