I have been trying to set up a test environment in HyperV with 2 test computers on Windows 10 and a single Windows Server 2019 of implementing LAPS, as I will potentially be presenting this technology to the team in the near future. I have installed a test domain and set up some OU's, joined computers to the domain, etc. I verified with the Get-ADOrganizationalUnit that the OU's exist.
I have been trying to execute the command
set-admpwdreadpasswordpermission -Identity "OU=Workstations,OU=TestComputers,DC=test,DC=com" -AllowedPrincipals "LAPS_Read,LAPS_Admin"
yet it keeps failing out with
set-admpwdreadpasswordpermission : Some or all identity references could not be translated. At line:1 char:1
- set-admpwdreadpasswordpermission -Identity "OU=Workstations,OU=TestCo ...
+ CategoryInfo : NotSpecified: (:) [Set-AdmPwdReadPasswordPermission], IdentityNotMappedException + FullyQualifiedErrorId : System.Security.Principal.IdentityNotMappedException,AdmPwd.PS.DelegateReadPasswordPermi ssion
I am certain I have spelled things correctly, yet it still fails out. I also have made sure I imported the admpwd.PS module. P.S I am new to powershell, yet everything else has succeeded to this point, like the set-admpwdComputerselfpermission (may have spelled wrong), this command outputed the status of delegated showing that it worked. Please offer some help, Thanks!
edit: I have got it to work for a user account; however, the groups still fail...
1 Answer
Try to use SID instead of groupnames @("S-1-5-21-XXXXXXX.....")
which version of LAPS are you trying to configure? Be aware of the difference between "Legacy-LAPS" & "Windows-LAPS" Windows-LAPS has been implemented into the OS in April 2023 by Windows Updates. It uses complete different AD-Attributes, GPOs & Commands than Legacy-LAPS and is not compatible to the old LAPS-Agent. Windows-LAPS is an agentless feature now and requires at least Windows Server 2019 CU 04-2023 and Windows 10 22H2 CU 04-2023 or above
