You can grant a user or user group permission to view LAPS recovery keys stored in a designated organizational unit (OU) in Active Directory.
Before you delegate access, you must have or create an OU and security group to designate.
To delegate access to LAPS recovery keys:
1. On the device where LAPS management utilities are installed, open a PowerShell prompt for an account with Domain Admin rights.
2. Import the LAPS PowerShell module:
3. Delegate read access to a user or group:
Set-AdmPwdReadPasswordPermission -Identity "OU Name" -AllowedPrincipals "User or Group Name"
- Replace OU Name with the name of the OU for which the user or group will be able to read attributes
- Replace User or Group Name with the name of the user or group being delegated read permissions
- Specify multiple users or groups using a comma-separated list