Monthly Archives: November 2016

Recover LAPS passwords from deleted objects and delegate recovery admins

I got a question about LAPS and deleted Computer objects.
What happens if a Computer is disjoined from the domain or if the object is deleted, how do we recover the LAPS password?
And for how long can we recover the LAPS password? (if we don’t look at the backups you should have).

Computer is disjoined:

If you configure the client to join another Domain or a Workgroup the Computer object isn’t deleted in the Active Directory database. At most the computer account is disabled. No problems retrieving the password there.

Computer Object is deleted in the Active Directory database: Continue reading

Where the adminCount doesn’t count and the SD isn’t what you thought.

This is a short follow-up on my earlier blog entry on the AdminSDHolder.
As stated earlier the AdminSDHolder process that runs as a background task on the Domain Controller acting as PDC Emulator sets the Security Descriptor of Protected Admin Groups.

The thing I wanted to revisit is when the adminCount attribute and Security Descriptor isn’t set on objects. Continue reading

Who is object owner in your domain?

Object Owner, who is that in your Active Directory environment?
When delegating admin access in Active Directory there are a few things to consider, and one of them is the owner.

When an object is created, it will have an owner set in the Security Descriptor guarding that object. The object owner will be set depending of who is creating it. Continue reading