How will Active Roles handle the ms-Mcs-AdmPwd attribute which is present after implementing LAPS?
In versions of Active Roles prior to Active Roles 7.1, Active Roles would only grant access to a confidential attribute if a trustee had native Extended Rights permissions on the attribute. Handling this was cumbersome: a special Access Template needed to be created using a script which had to be synchronized to Active Directory for all desired delegates.
In Active Roles 7.1, this functionality was changed and Active Roles now handles all confidential attributes as if they were standard attributes. This means that if a delegate has View All Properties granted in Active Roles via any Access Template, they will be able to view the values stored in the ms-Mcs-AdmPwd attribute.
Blocking Access to a Confidential Attribute (such as ms-Mcs-AdmPwd)
This is best achieved using an Access Template which leverages an Access Rule.
NOTE: Active Roles Admins ignore all Access Templates, including the one described below. Ensure that this functionality is tested using an Active Roles User.
1) Creating the Access Template:
2) Creating the Access Rule: