• The ability to enable a group for LAPS permission is granted to Primary Admins only. Please see Primary vs. Delegated DoCID | IT@Cornell for an explanation of permission differences.
• The attribute 'edsvaOIT-isLAPSEnabled' is a virtual attribute in Active Roles. This attribute does not exist in AD.
• You must connect to Active Roles Service with your Primary DoC account as 'proxy' (connect-qadservice -proxy) in order to access this (or any) virtual attribute using PowerShell.
• It may take up to an hour for any changes made to the AD group to sync to Entra.

Enable AD Group for LAPS Use

In September 2025, CIT created LAPS groups in the CentralObjects OU for each DelegatedObjects OU. The groups use the naming convention prefix-LAPS-readers.  Use the steps below to enable a group for LAPS use.

1. Log on to the Quest ARS Console with a Primary DoC account.
2. Navigate to DelegatedObjects > Your unit > CentralObjects.
3. Right-click on prefix-LAPS-readers group, then Properties.
4. Select the Object tab and go to Advanced Properties.
5. In the Look for property field, enter laps. Make sure both boxes in the Advanced Properties window are checked.
6. Double-click on the edsvaOIT-isLAPSEnabled property, and enter TRUE in the Boolean value.

6. Click OK on each window to set the property value for the group.
7. Add users who should have LAPS password access as members of this group.
8. Wait one hour for the changes to sync with Entra.

Disable a LAPS Group

To disable an AD group previously designated for LAPS use, simply clear TRUE from edsavaOIT-isLAPSEnabled virtual attribute or set it to FALSE. This will remove the members of the AD group from LAPS password reader role in Entra ID.

Using Active Roles PowerShell Cmdlet

To set edsvaOIT-isLAPSEnabled attribute using PowerShell, use the following command:

Set-QADGroup -Identity 'prefix-LAPS-readers' -ObjectAttributes @{'edsvaOIT-isLAPSEnabled' = $true} 
 

Note: you must connect to ARS service as 'proxy' to modify the attribute. e.g. connect-qadservice -proxy