Service account vs attribute permission #89
Replies: 1 comment 2 replies
-
|
We also have the AMS service account in a group that grants permissions to the laps attributes, so this does work and is fully supported. AMS doesn't know or care how you grant permissions. AD is responsible for determining access. Have you restarted the service since adding it to the group? The group membership will not be picked up until the service logs on next. |
Beta Was this translation helpful? Give feedback.
-
|
I believe I restarted AM service but I will test tomorrow. |
Beta Was this translation helpful? Give feedback.
-
|
If restarting the service doesn't work try restarting the server itself. The built-in AdmPwd PowerShell cmdlets do the same thing as the script generated by AMS so you can use either. |
Beta Was this translation helpful? Give feedback.
-
Hi,
We are in the time of testing new AD OU’s structure and we implement LAPS permissions on this new OUs.
Instead of granding permmision for service account to attributes we have done this for a sec group and put service account to this group.
Looks like access deny from AM. When I try by logon to service account and get by laps ui or powershell command than I can see the laps password.
Only works when we set perrmision directly for service account name.
Is it ok from AM perspective?
Service account is not gmsa account
Beta Was this translation helpful? Give feedback.
All reactions