Microsoft LAPS is an interesting little utility for managing local “Administrator” account passwords on domain-joined computers. If you don’t know what it is, or haven’t used it, stop here, put down your bong and nachos, and read this. Otherwise, this little article is focused on one particular part of one particular phase of this one particular product implementation. That is, delegating self-update permissions on the AD organizationalUnit and password retrieval permissions on the same OUs. Both of these involve PowerShell. I’ve seen both of these drive people insane, yet the solution is stupid-simple.
Set-AdmPwdComputerSelfPermission -OrgUnit <name>
The <name> property is singular. It’s the canonical name, not the distinguishedName value. And you can’t chain names in a delimited string here. So if you need to apply it to OU’s named “desktops”, “laptops” and “kiosks”, you need to execute the statement once for each (or use a foreach loop, etc.).
Set-AdmPwdResetPasswordPermission -OrgUnit <name> -AllowedPrincipals <names>
The <name> property here is also singular and also the same as with the previous cmdlet example (above). The <names> property can be singular or a comma-delimited list. However, if the principal name contains an embedded space, you need to wrap it in matching quotes. The trick here is that you can mix them.
Example: Principals list consists of “Administrator”, and “Workstation Admins”, which are within domain “contoso”.
Set-AdmPwdResetPasswordPermission -OrgUnit Desktops -AllowedPrincipals contoso\Administrator,"contoso\Workstation Admins"