Your network contains an Active Directory domain named contoso.com. The domain contains 100 servers.
You deploy the Local Administrator Password Solution (LAPS) to the network.
You discover that the members of a group named FinanceAdministrators can view the password of the local
Administrator accounts on the servers in an
organizational unit (OU) named FinanceServers.
You need to prevent the FinanceAdministrators members from viewing the local administrators’ passwords on
the servers in FinanceServers.
Which permission should you remove from FinanceAdministrators?
A.
List contents
B.
All extended rights
C.
Read all properties
D.
Read permissions
Explanation:
https://blogs.technet.microsoft.com/askpfeplat/2015/12/28/local-administrator-password-solution-lapsimplementation-hints-and-security-nerd-commentaryincludingmini-threat-model/
Access to the password is granted via the “Control Access” right on the attribute.
Control Access is an “Extended Right” in Active Directory, which means if a user has been granted the “All
Extended Rights” permission they’ll be able to see
passwords even if you didn’t give them permission.