# Set-LapsADReadPasswordPermission

[https://learn.microsoft.com/en-us/powershell/module/laps/set-lapsadreadpasswordpermission?view=windowsserver2022-ps](https://learn.microsoft.com/en-us/powershell/module/laps/set-lapsadreadpasswordpermission?view=windowsserver2022-ps)

## Syntax

<div class="codeHeader" data-bi-name="code-header" id="bkmrk-powershellcopy"><span class="language">PowerShell</span><button class="action position-relative display-none-print" data-bi-name="copy" type="button">Copy</button><div aria-hidden="true" class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div>```
]
   -Identity <String[]>
   -AllowedPrincipals <String[]>
   [-Domain <String>]
   [-DomainController <String>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]" dir="ltr" style="box-sizing: inherit; outline-color: inherit; font-family: SFMono-Regular, Consolas, 'Liberation Mono', Menlo, Courier, monospace; font-size: 1em; direction: ltr; border: 0px; padding: 0px; line-height: 1.3571; display: block; position: relative;">Set-LapsADReadPasswordPermission
   [-Credential <PSCredential>]
   -Identity <String[]>
   -AllowedPrincipals <String[]>
   [-Domain <String>]
   [-DomainController <String>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
```

## Description

The `Set-LapsADReadPasswordPermission` cmdlet is used by administrators to configure security permissions on an OU to allow specific users or groups to query LAPS passwords on computers in that OU. Users and groups must be fully qualified with both domain and user name components. The only exception to this is when the specified name resolves to a built-in principal, such as `Domain Admins`.

## Examples

### Example 1

<div class="codeHeader" data-bi-name="code-header" id="bkmrk-powershellcopy-1"><span class="language">PowerShell</span><button class="action position-relative display-none-print" data-bi-name="copy" type="button">Copy</button><div aria-hidden="true" class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div>```
Set-LapsADReadPasswordPermission -Identity LapsTestOU -AllowedPrincipals "Domain Admins"

Name       DistinguishedName
----       -----------------
LapsTestOU OU=LapsTestOU,DC=laps,DC=com
```

This example shows how to run the cmdlet with an isolated name that successfully maps to a well-known user or group.

### Example 2

<div class="codeHeader" data-bi-name="code-header" id="bkmrk-powershellcopy-2"><span class="language">PowerShell</span><button class="action position-relative display-none-print" data-bi-name="copy" type="button">Copy</button><div aria-hidden="true" class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div>```
Set-LapsADReadPasswordPermission -Identity LapsTestOU -AllowedPrincipals @("S-1-5-21-2889755270-1324585639-743026605-1215")

Name       DistinguishedName
----       -----------------
LapsTestOU OU=LapsTestOU,DC=laps,DC=com
```

This example shows how to run the cmdlet specifying a user SID as input.

### Example 3

<div class="codeHeader" data-bi-name="code-header" id="bkmrk-powershellcopy-3"><span class="language">PowerShell</span><button class="action position-relative display-none-print" data-bi-name="copy" type="button">Copy</button><div aria-hidden="true" class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div>```
Set-LapsADReadPasswordPermission -Identity 'OU=LapsTestOU,DC=laps,DC=com' -AllowedPrincipals @("laps.com\LapsAdmin1", "LapsAdmin2@laps.com")

Name       DistinguishedName
----       -----------------
LapsTestOU OU=LapsTestOU,DC=laps,DC=com
```

This example shows how to run the cmdlet specifying two fully qualified user names in different formats.

### Example 4

<div class="codeHeader" data-bi-name="code-header" id="bkmrk-powershellcopy-4"><span class="language">PowerShell</span><button class="action position-relative display-none-print" data-bi-name="copy" type="button">Copy</button><div aria-hidden="true" class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div>```
Set-LapsADReadPasswordPermission -Identity LapsTestOU -AllowedPrincipals @("LapsAdministratorsGroup")

Set-LapsADReadPasswordPermission : The 'LapsAdministratorsGroup' account appears to be an isolated
name but is not a well-known name. Please use a fully qualified name instead, such as
"LAPSAdmins@contoso.com" or "contoso\LAPSAdmins"
At line:1 char:1
+ Set-LapsADReadPasswordPermission -Identity LapsTestOU -AllowedPrincip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-LapsADReadPasswordPermission], LapsPowershellException
    + FullyQualifiedErrorId : Invalid principal specified,Microsoft.Windows.LAPS.SetLapsADReadPasswordPermission
```

This example shows a failure caused by specifying an isolated name that didn't resolve to a well-known or built-in account. The fix for this error would be to add a domain name qualifier to the input name, for example `LapsAdministratorsGroup@laps.com`.

## Parameters

### -AllowedPrincipals

Specifies the name of the users or groups should be granted the permissions. Users or groups may be specified in either name or SID format. If specified in name format, the name must always include the identifying domain name portion unless the name maps to a well-known or built-in account.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-s"><div class="buttons buttons-right margin-bottom-none margin-top-sm"><button class="button button-clear button-sm display-flex gap-xxs">Expand table</button></div><div class="has-inner-focus"><table aria-label="Table 1" class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td>[String](https://learn.microsoft.com/en-us/dotnet/api/system.string)\[\]</td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>True</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -Confirm

Prompts you for confirmation before running the cmdlet.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-s-1"><div class="buttons buttons-right margin-bottom-none margin-top-sm"><button class="button button-clear button-sm display-flex gap-xxs">Expand table</button></div><div class="has-inner-focus"><table aria-label="Table 2" class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td>[SwitchParameter](https://learn.microsoft.com/en-us/dotnet/api/system.management.automation.switchparameter)</td></tr><tr><td>Aliases:</td><td>cf</td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -Credential

Specifies the credentials to use when updating AD. If not specified, the current user's credentials are used.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-p"><div class="buttons buttons-right margin-bottom-none margin-top-sm"><button class="button button-clear button-sm display-flex gap-xxs">Expand table</button></div><div class="has-inner-focus"><table aria-label="Table 3" class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td>[PSCredential](https://learn.microsoft.com/en-us/dotnet/api/system.management.automation.pscredential)</td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -Domain

Specifies the name of the domain to connect to.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-s-2"><div class="buttons buttons-right margin-bottom-none margin-top-sm"><button class="button button-clear button-sm display-flex gap-xxs">Expand table</button></div><div class="has-inner-focus"><table aria-label="Table 4" class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td>[String](https://learn.microsoft.com/en-us/dotnet/api/system.string)</td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -DomainController

Specifies the name of the domain controller to connect to.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-s-3"><div class="buttons buttons-right margin-bottom-none margin-top-sm"><button class="button button-clear button-sm display-flex gap-xxs">Expand table</button></div><div class="has-inner-focus"><table aria-label="Table 5" class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td>[String](https://learn.microsoft.com/en-us/dotnet/api/system.string)</td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -Identity

Specifies the name of the OU to update.

This parameter accepts several different name formats that influence the criteria used in the resultant AD search. The supported name formats are as follows:

<div class="parameterInfo" id="bkmrk-distinguishedname-%28b">- distinguishedName (begins with a `CN=`)
- name (for all other inputs)

</div>Setting permissions on the domain root is only supported using the distinguishedName input format, for example 'DC=laps,DC=com'.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-s-4"><div class="buttons buttons-right margin-bottom-none margin-top-sm"><button class="button button-clear button-sm display-flex gap-xxs">Expand table</button></div><div class="has-inner-focus"><table aria-label="Table 6" class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td>[String](https://learn.microsoft.com/en-us/dotnet/api/system.string)\[\]</td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>True</td></tr><tr><td>Accept pipeline input:</td><td>True</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -WhatIf

Shows what would happen if the cmdlet runs. The cmdlet isn't run.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-s-5"><div class="buttons buttons-right margin-bottom-none margin-top-sm"><button class="button button-clear button-sm display-flex gap-xxs">Expand table</button></div><div class="has-inner-focus"><table aria-label="Table 7" class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td>[SwitchParameter](https://learn.microsoft.com/en-us/dotnet/api/system.management.automation.switchparameter)</td></tr><tr><td>Aliases:</td><td>wi</td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>## Inputs

**[String](https://learn.microsoft.com/en-us/dotnet/api/system.string)\[\]**

## Outputs

**[Object](https://learn.microsoft.com/en-us/dotnet/api/system.object)**

## Related Links

- [Windows LAPS Overview](https://go.microsoft.com/fwlink/?linkid=2233901)