ADPasswordEncryptionPrincipal may be used to specify the principals that may decrypt the password. If not, the default is Domain Admins, which only has members of the current domain.
Use this setting to configure the name or security identifier (SID) of a user or group that can decrypt the password that's stored in Active Directory.
This setting is ignored if the password currently is stored in Azure.
If not specified, only members of the Domain Admins group in the device's domain can decrypt the password.
If specified, the specified user or group can decrypt the password that's stored in Active Directory.
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-policy-settings#adpasswordencryptionprincipal