Delegate Access to LAPS Recovery Keys in Active Directory

You can grant a user or user group permission to view LAPS recovery keys stored in a designated organizational unit (OU) in Active Directory.

Before you delegate access, you must have or create an OU and security group to designate.

To delegate access to LAPS recovery keys:

1. On the device where LAPS management utilities are installed, open a PowerShell prompt for an account with Domain Admin rights.

2. Import the LAPS PowerShell module: Import-Module AdmPwd.PS

3. Delegate read access to a user or group:
Set-AdmPwdReadPasswordPermission -Identity "OU Name" -AllowedPrincipals "User or Group Name"

  • Replace OU Name with the name of the OU for which the user or group will be able to read attributes
  • Replace User or Group Name with the name of the user or group being delegated read permissions
  • Specify multiple users or groups using a comma-separated list
Copyright © 2023 Recast Software, LLC. All rights reserved.