Policy
Configure authorized password decryptors
Configure this setting to control the specific user or group who is authorized to decrypt encrypted passwords. Configuring this setting has no effect unless password encryption has been enabled. If this setting is enabled, encrypted passwords will be decryptable by the specified group. If this setting is disabled or not configured, encrypted passwords will be decryptable by the Domain Admins group. This setting must be configured with either a domain-qualified name of a group or user, or a SID in string format. Valid examples include: contoso\LAPSAdmins lapsadmins@contoso.com S-1-5-21-2127521184-1604012920-1887927527-35197 Do not enclose the user\group name or SID in enclosing quotes or parentheses. The specified user or group must be resolvable by the managed device, otherwise passwords will not be backed up. NOTE: this setting is ignored when Directory Services Repair Mode (DSRM) account passwords are backed up on a domain controller. In that scenario, this setting always defaults to the Domain Admins group of the domain controller's domain. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.
ca78c8ad8a24 LAPS_ADPasswordEncryptionPrincipal Registry
Copy registry mappings
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\ADPasswordEncryptionPrincipalPolicy notes
Configure this setting to control the specific user or group who is authorized to decrypt encrypted passwords. Configuring this setting has no effect unless password encryption has been enabled. If this setting is enabled, encrypted passwords will be decryptable by the specified group. If this setting is disabled or not configured, encrypted passwords will be decryptable by the Domain Admins group. This setting must be configured with either a domain-qualified name of a group or user, or a SID in string format. Valid examples include: contoso\LAPSAdmins lapsadmins@contoso.com S-1-5-21-2127521184-1604012920-1887927527-35197 Do not enclose the user\group name or SID in enclosing quotes or parentheses. The specified user or group must be resolvable by the managed device, otherwise passwords will not be backed up. NOTE: this setting is ignored when Directory Services Repair Mode (DSRM) account passwords are backed up on a domain controller. In that scenario, this setting always defaults to the Domain Admins group of the domain controller's domain. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.