LAPS

Microsoft Local Administrator Password Solution (LAPS)Active Directory Security

Microsoft LAPS Install and Setup GuideActive Directory Pro

Commands:

#Import LAPs module
import-module ADMPwd.ps

#Allow computers 
Set-AdmPwdComputerSelfPermission -OrgUnit "Workstation"

#Set read rights for admin passwords
Set-AdmPwdReadPasswordPermission -Identity "ADPro Computers" -AllowedPrincipals "it_wrk_admins"

#Display users who have rights to read
Find-AdmPwdExtendedRights -Identity "ADPro Computers"

#Show password for host
Get-AdmPwdPassword HOST

Schema Attributes:

• ms-Mcs-AdmPwd – This attribute saves the computer’s administrator password.

• ms-Mcs-AdmPwdExpirationTime – This attribute saves the password expiration timestamp.

Display Password:

Can be seen in LAPS UI

Attribute of Workstation

Display in PS

Abusing LAPS:

LAPSHackTricks

Forensics:

LAPS logging and SplunkCyberSecThreat