I tried to create an access template for granting self write access to the ms-Mcs-AdmPwd attributes and it seemed to do nothing. I had to manually set the rights using powershell. It would be so much easier to do this with an ARS Access Template. This is from the Microsoft LAPS technical documentation:
The Write permission on the ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd attributes of all computer accounts has to be added to the SELF built-in account. This is required so the machine can update the password and expiration timestamp of its own managed local Administrator password. This is done using PowerShell. You may need to run Import-module AdmPwd.PS if <name of the OU to delegate permissions>
Repeat this procedure for any additional OUs that contain computer accounts that are in scope of the solution and are not subcontainers of already processed containers
I created a template that set Allow Write ms-Mcs-AdmPwd Apply to Computer Trustee NT Authority\Self Directory Object of the OU with Servers that I wanted LAPS installed on.
What did I do wrong?