Your network contains an Active Directory domain named contoso.com. The domain contains 100 servers.
You deploy the Local Administrator Password Solution (LAPS) to the network.
You discover that the members of a group named FinanceAdministartors can view the password of the local Administrator accounts on the servers in an organizational unit (OU) named FinanceServers.
You need to prevent the FinanceAdministartors members from viewing the local administrators ‘passwords on the servers in FinanceServers. Which permission should you remove from FinanceAdministartors?
A. all extended rights
B. read all properties
C. read permissions
D. list contents
given answer is correct.
https://blogs.technet.microsoft.com/askpfeplat/2015/12/28/local-administrator-password-solution-laps-implementation-hints-and-security-nerd-commentaryincluding-mini-threat-model/
Access to the password is granted via the “Control Access” right on the attribute.
Control Access is an “Extended Right” in Active Directory, which means if a user has been granted the “All Extended Rights” permission they’ll be able to see passwords even if you didn’t give them permission.
correct