Delegate laps permissions to end users on a OU

Question

Delegate laps permissions to end users on a OU

François Paiement 26

Hello,

Situtation : I have the NEW laps, the one that have been released this year. I Save LAPS Passwords to LOCAL AD servers.

Need : I need some end users to have delegated access to an OU and the computers contained into it and be able to change those container's computer object's laps status,so read and replace password.

Problem : If i give a user access to one OU, he sure can create new Objects in it, but computers inside the OU do not seem to be inheriting permissions.

I've read something about changing something in the schema, but it did not fit what i needed to do, because i do not want those end users (who have been registered to the laps password group) to have access to modify any computers that are not in the specific OU

What is the minimum permissions required to achieve what i need to do and ensure that new computers will have the necessary permissions only when placed in that OU

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Limitless Technology 45,051

Hello there,

You can grant a user or user group permission to view LAPS recovery keys stored in a designated organizational unit (OU) in Active Directory.

Before you delegate access, you must have or create an OU and security group to designate.

To delegate access to LAPS recovery keys:

On the device where LAPS management utilities are installed, open a PowerShell prompt for an account with Domain Admin rights.
Import the LAPS PowerShell module: Import-Module AdmPwd.PS
Delegate read access to a user or group:

Set-AdmPwdReadPasswordPermission -Identity "OU Name" -AllowedPrincipals "User or Group Name"

Replace OU Name with the name of the OU for which the user or group will be able to read attributes

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer--

François Paiement 26 Reputation points

2023-08-11T05:57:10.63+00:00

thats the correct answer, just wanna add a small comment, i needed to use "OU=example1,OU=example2,DC=example1,DC=example2"
Niklas Zimmermann 0 Reputation points

2025-11-06T05:09:23.7+00:00

Hello,

I’m trying to configure this for Entra-joined only devices managed by Intune. I’ve created an Administrative Unit, assigned the device to it, and granted the user the LAPS Reader role (microsoft.directory/deviceLocalCredentials/password/read), scoped only to that Administrative Unit where the device resides.

However, the user can still view all BitLocker recovery keys for every device in my organization, not just for the one within the Administrative Unit.

Is there a way to limit BitLocker key visibility to devices within the user’s assigned Administrative Unit? Or am I missing an additional configuration step?

Alternatively, I'm searching for a solution to provide an Admin Account with just in time access for the Employee using his notebook.

Thanks in advance for your help!

Best regards,

Niklas

Share via

Delegate laps permissions to end users on a OU

0 additional answers

Your answer