We have been using LAPS for the last year or so and for the most part it is a great tool for managing local admins password.
In our environment we have multiple forest with trusts relationships and the one main issue that we have is that the LAPS UI client can’t check the local admin password of devices in other domains, unless we logon as a user in that domain and run the LAPS UI as that user.
We can use PowerShell but this requires either the commands to be run from a devices in the domain with the LAPS PowerShell module or can be done using remote ps session but this is not something everyone on the service desk would know how to do or will have rights to do.
Enter-PSSession dc.domain.local
Get-AdmPwdPassword -ComputerName "computer" | Select-Object Password,ExpirationTimestamp
We could also get the AD attributes by using get-adcomputer comandlet but this requires the AD PowerShell module.
Get-ADComputer -Identity "computer" -Server "DC" -properties ms-mcs-admpwd,ms-mcs-admpwdexpirationtime | select-object ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
I wanted to try create a script that would allow them to check the other domains without the needing to know how to do PS remoting or having modules installed.
To get around using the AD module we will be using ADSI search instead as this a default part of PowerShell. I used the below blog to get started.
To query the remote doamin using adsisearch we first need to have a way of converting the domain name to the format that adsisearch requires.
This can be done using DirectoryContect class
System.DirectoryServices.ActiveDirectory.DirectoryContext
System.DirectoryServices.ActiveDirectory.Domain
DirectoryContext Class (System.DirectoryServices.ActiveDirectory) | Microsoft Docs
The first part of the script gets the domain details and returns the objects back to the search variable.
Next part we will filter the results based on the client variable to return only the required computer details.
Once the script is working, I just needed to create some mandatory parameters and create a function called Check-LAPS so that it’s easier for people to use without having to hardcode anything in the script and has some help and examples.
Below is the link to the full script.
Scripts/ActiveDirectory/LAPS at master · TheSleepyAdmin/Scripts (github.com)
Below shows how the script is run and the results.
I used the above script with WPF to create a GUI that is now complied in to an exe. I though this would be a lot easier to pass on the service desk as all they need to do is run the exe.
This was compiled using ps2exe PowerShell module.
MScholtes/PS2EXE: Module to compile powershell scripts to executables (github.com)
All they need to do is put in the domain name and computer name.
This should then return the LAPS password.
I will do a different post on creating the GUI itself in as this was my first GUI and I would like to create a few other.
Thanks for your script, I have used it & modified the WPF part of it to get drop-down list of domains and added cancel button.
LikeLike
Hi Sabeel
Thanks for the feedback, I left it using text as I though it would be easier for people to use instead of having to hard code domains in the WPF, didn’t think to add a cancel button might give that a go make sense to have one.
LikeLike
Hi Sabeel,
Can you share your modification with the drop-down list of domains.
I have added credentials fields and i’m searching the best way for drop-down list.
I have seen some Combobox paramerters but not really comfortable to use for me.
LikeLike
Hello TheSleepyAdmin
Great script, very useful.
can you send me the wpf file in order to modify the design?
thank you so much
LikeLike
Hi Maxweb
I have put the original script with the wpf on github.
https://github.com/TheSleepyAdmin/Scripts/blob/master/ActiveDirectory/LAPS/LAPSClient.ps1
LikeLike
Thanks man…just what I needed 🙂
LikeLike
Ah, this is absolutely perfect for me as I’ve begun the transition to purely AADJ managed devices that LAPS didn’t know how to query the domain. It’s amazing that Microsoft can’t spare an intern for an hour or two to make such an adjustment to the official client.
LikeLike
Hello i still have a problem
receives error message all the time
Exception calling “Parse” with “1” argument(s): “Nieprawidłowy format ciągu wejściowego.”
At line:22 char:22
+ … 1.text = “$([DateTime]::FromFileTime([Int64]::Parse($comp.Properties. …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : FormatException
can you help me
LikeLike
Hi Woyciech
I have not seen this issue before. what command are you running when it fails.
LikeLike