How does Active Roles handle the LAPS ms-Mcs-AdmPwd attribute? (4336879)

How will Active Roles handle the ms-Mcs-AdmPwd attribute which is present after implementing LAPS?

In versions of Active Roles prior to Active Roles 7.1, Active Roles would only grant access to a confidential attribute if a trustee had native Extended Rights permissions on the attribute. Handling this was cumbersome: a special Access Template needed to be created using a script which had to be synchronized to Active Directory for all desired delegates.

In Active Roles 7.1, this functionality was changed and Active Roles now handles all confidential attributes as if they were standard attributes. This means that if a delegate has View All Properties granted in Active Roles via any Access Template, they will be able to view the values stored in the ms-Mcs-AdmPwd attribute.

Blocking Access to a Confidential Attribute (such as ms-Mcs-AdmPwd)

This is best achieved using an Access Template which leverages an Access Rule.

NOTE: Active Roles Admins ignore all Access Templates, including the one described below. Ensure that this functionality is tested using an Active Roles User.

1) Creating the Access Template:

1. In the Active Roles Console, create a new Access Template under Configuration/Access Templates called Block LAPS
2. In this Access Template, click Add | Only the following classes and select Computer, then click Next
3. Select Object Property Access and check off Read properties, Write properties, and Deny permission
4. Select The following properties and check off ms-Mcs-AdmPwd, select Next, and then Finish

​

2) Creating the Access Rule:

1. Create a new Access Rule under Configuration/Access Rules called Grant Access to LAPS
2. Add an Insert condition to this Access Rule as follows : User Claim | Group
3. Change the conditional from member of any to not member of any
4. Set Define value to compare to... to the desired delegated group then click OK and Finish
5. Delegate access on the root of the domain to Everyone using the Block LAPS Access Template
6. After linking the Access Template, modify it with the Grant Access to LAPS Access Rule