1

We have in our forest a few domains. As a PoC, we linked Windows LAPS GPO in one domain and want to manage the credentials across the whole forest. The password decryption works fine if you are in the same domain but it fails when you are attempting to get the password from another domain.

Do you know whether that is by design or can be configured?

Improve this question

1 Answer 1

Reset to default
0

ADPasswordEncryptionPrincipal may be used to specify the principals that may decrypt the password. If not, the default is Domain Admins, which only has members of the current domain.

Use this setting to configure the name or security identifier (SID) of a user or group that can decrypt the password that's stored in Active Directory.

This setting is ignored if the password currently is stored in Azure.

If not specified, only members of the Domain Admins group in the device's domain can decrypt the password.

If specified, the specified user or group can decrypt the password that's stored in Active Directory.

https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings#adpasswordencryptionprincipal

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .