LAPS

Microsoft Local Administrator Password Solution (LAPS)Active Directory Security
LogoMicrosoft LAPS Install and Setup GuideActive Directory Pro

Commands:

#Import LAPs module
import-module ADMPwd.ps

#Allow computers 
Set-AdmPwdComputerSelfPermission -OrgUnit "Workstation"

#Set read rights for admin passwords
Set-AdmPwdReadPasswordPermission -Identity "ADPro Computers" -AllowedPrincipals "it_wrk_admins"

#Display users who have rights to read
Find-AdmPwdExtendedRights -Identity "ADPro Computers"

#Show password for host
Get-AdmPwdPassword HOST

Schema Attributes:

  • ms-Mcs-AdmPwd – This attribute saves the computer’s administrator password.

  • ms-Mcs-AdmPwdExpirationTime – This attribute saves the password expiration timestamp.

Display Password:

Can be seen in LAPS UI
Attribute of Workstation
Display in PS

Abusing LAPS:

LogoLAPSHackTricks

Forensics:

LogoLAPS logging and SplunkCyberSecThreat
PreviousRestricted Admin ModeNextAttacks

Last updated