Get-LapsADPassword

Queries Windows Local Administrator Password Solution (LAPS) credentials from Active Directory (AD) on a specified AD computer or domain controller object.

Syntax

Get-LapsADPassword
   [-Credential <PSCredential>]
   [-DecryptionCredential <PSCredential>]
   [-IncludeHistory]
   [-AsPlainText]
   [-Identity] <String[]>
   [<CommonParameters>]
Get-LapsADPassword
   [-Credential <PSCredential>]
   [-DecryptionCredential <PSCredential>]
   [-IncludeHistory]
   [-AsPlainText]
   [-Identity] <String[]>
   -Domain <String>
   [<CommonParameters>]
Get-LapsADPassword
   [-Credential <PSCredential>]
   [-DecryptionCredential <PSCredential>]
   [-IncludeHistory]
   [-AsPlainText]
   [-Identity] <String[]>
   -DomainController <String>
   [<CommonParameters>]
Get-LapsADPassword
   [-Credential <PSCredential>]
   [-DecryptionCredential <PSCredential>]
   [-IncludeHistory]
   [-AsPlainText]
   -Port <Int32>
   [-Identity] <String[]>
   [-DomainController <String>]
   [<CommonParameters>]
Get-LapsADPassword
   [-IncludeHistory]
   [-AsPlainText]
   [-RecoveryMode]
   [-Identity] <String[]>
   [<CommonParameters>]
Get-LapsADPassword
   [-IncludeHistory]
   [-AsPlainText]
   [-RecoveryMode]
   -Port <Int32>
   [-Identity] <String[]>
   [<CommonParameters>]

Description

The Get-LapsADPassword cmdlet allows administrators to retrieve LAPS passwords and password history for an Active Directory computer or domain controller object. Depending on policy configuration, LAPS passwords may be stored in either clear-text form or encrypted form. The Get-LapsADPassword cmdlet automatically decrypts encrypted passwords.

The Get-LapsADPassword cmdlet may also be used to connect to a mounted AD snapshot.

The Verbose parameter may be used to get additional information about the cmdlet's operation.

Examples

Example 1

Get-LapsADPassword LAPSCLIENT

ComputerName        : LAPSCLIENT
DistinguishedName   : CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com
Account             : Administrator
Password            : System.Security.SecureString
PasswordUpdateTime  : 4/9/2023 10:03:41 AM
ExpirationTimestamp : 4/14/2023 10:03:41 AM
Source              : CleartextPassword
DecryptionStatus    : NotApplicable
AuthorizedDecryptor : NotApplicable

This example demonstrates querying the current LAPS password for the LAPSCLIENT computer in the current domain. The password was stored in AD in clear-text form and didn't require decryption. The password was returned wrapped in a SecureString object.

Example 2

Get-LapsADPassword -Identity LAPSCLIENT -DomainController lapsDC -AsPlainText

ComputerName        : LAPSCLIENT
DistinguishedName   : CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com
Account             : Administrator
Password            : k8P]Xl5T-ky!aj4s21el3S#.x44!e{8+,{L!M
PasswordUpdateTime  : 4/9/2023 10:03:41 AM
ExpirationTimestamp : 4/14/2023 10:03:41 AM
Source              : CleartextPassword
DecryptionStatus    : NotApplicable
AuthorizedDecryptor : NotApplicable

This example demonstrates querying the current LAPS password on a specific domain controller (lapsDC), for the LAPSCLIENT computer, requesting that the password be displayed in clear-text form. The password was stored in AD in clear-text form and didn't require decryption. The password was returned in clear-text form.

Example 3

Get-LapsADPassword -Identity LAPSCLIENT2 -Domain laps.com -AsPlainText -IncludeHistory

ComputerName        : LAPSCLIENT2
DistinguishedName   : CN=LAPSCLIENT2,OU=LapsTestEncryptedOU,DC=laps,DC=com
Account             : Administrator
Password            : q64!7KI3BOe/&S%buM0nBaW{B]261zN5L0{;{
PasswordUpdateTime  : 4/9/2023 9:39:38 AM
ExpirationTimestamp : 4/14/2023 9:39:38 AM
Source              : EncryptedPassword
DecryptionStatus    : Success
AuthorizedDecryptor : LAPS\LAPS Admins

ComputerName        : LAPSCLIENT2
DistinguishedName   : CN=LAPSCLIENT2,OU=LapsTestEncryptedOU,DC=laps,DC=com
Account             : Administrator
Password            : O{P61q6bu(3kZ6&#p2y.&F$cWd;0dm8!]Wl5j
PasswordUpdateTime  : 4/9/2023 9:38:10 AM
ExpirationTimestamp :
Source              : EncryptedPasswordHistory
DecryptionStatus    : Success
AuthorizedDecryptor : LAPS\LAPS Admins

This example demonstrates querying the current LAPS password for the LAPSCLIENT2 computer, in a specific AD domain (laps.com), requesting that the password be displayed in clear-text form. The password was stored in AD in encrypted form and was successfully decrypted.

Note

ExpirationTimestamp is always empty for any older LAPS passwords returned.

Example 4

Get-LapsADPassword -Identity lapsDC.laps.com -AsPlainText

ComputerName        : LAPSDC
DistinguishedName   : CN=LAPSDC,OU=Domain Controllers,DC=laps,DC=com
Account             : Administrator
Password            : 118y$rsw.3y58yG]on$Hii
PasswordUpdateTime  : 4/9/2023 10:17:51 AM
ExpirationTimestamp : 4/19/2023 10:17:51 AM
Source              : EncryptedDSRMPassword
DecryptionStatus    : Success
AuthorizedDecryptor : LAPS\Domain Admins

This example demonstrates querying the current LAPS password for the lapsDC.laps.com domain controller, requesting that the password be displayed in clear-text form. The password was stored in AD in encrypted form and was successfully decrypted.

Example 5

Get-LapsADPassword LAPSDC

ComputerName        : LAPSDC
DistinguishedName   : CN=LAPSDC,OU=Domain Controllers,DC=laps,DC=com
Account             :
Password            :
PasswordUpdateTime  : 4/9/2023 10:17:51 AM
ExpirationTimestamp : 4/19/2023 10:17:51 AM
Source              : EncryptedDSRMPassword
DecryptionStatus    : Unauthorized
AuthorizedDecryptor : LAPS\Domain Admins

This example demonstrates querying the current LAPS password for the LAPSDC domain controller when the user doesn't have permissions to decrypt the LAPS DSRM password.

Example 6

Get-LapsADPassword LAPSLEGACYCLIENT -AsPlainText

ComputerName        : LAPSLEGACYCLIENT
DistinguishedName   : CN=LAPSLEGACYCLIENT,OU=LegacyLapsOU,DC=laps,DC=com
Account             :
Password            : Z#x}&7BluHf3{r+C218
PasswordUpdateTime  :
ExpirationTimestamp : 5/14/2023 1:55:39 PM
Source              : LegacyLapsCleartextPassword
DecryptionStatus    : NotApplicable
AuthorizedDecryptor : NotApplicable

This example demonstrates querying the current LAPS password for the 'LAPSLEGACYCLIENT' machine which is currently running in legacy LAPS emulation mode.

Note

When querying legacy LAPS-style passwords, the Account and PasswordUpdateTime fields are always unavailable.

Example 7

Get-LapsADPassword -Identity LAPSCLIENT -Port 50000 -AsPlainText

ComputerName        : LAPSCLIENT
DistinguishedName   : CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com
Account             : Administrator
Password            : H6UycL[vj#zzTNVpS//G2{j&t9aO}k[K5l4)X
PasswordUpdateTime  : 4/15/2023 6:51:45 AM
ExpirationTimestamp : 4/20/2023 6:51:45 AM
Source              : CleartextPassword
DecryptionStatus    : NotApplicable
AuthorizedDecryptor : NotApplicable

This example demonstrates querying an AD Snapshot browser instance for the current LAPS password for the LAPSCLIENT machine. This example assumes that that the snapshot browser has been previously started on the local machine listening on an LDAP port of 50000.

Parameters

-AsPlainText

Specify this parameter to return the LAPS passwords in clear-text format. The default behavior is to return the LAPS passwords wrapped in a .NET SecureString object.

Important

Using this parameter exposes the returned clear-text password to casual viewing and may pose a security risk. This parameter should be used with caution and only in support or testing situations.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Credential

Specifies a set of credentials to use when querying AD for the LAPS credentials. If not specified, the current user's credentials are used.

Type:PSCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DecryptionCredential

Specifies a set of credentials to use when decrypting encrypted LAPS credentials. If not specified, the current user's credentials are used.

Type:PSCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Domain

Specifies the name of the domain to connect to.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-DomainController

Specifies the name of the domain controller to connect to, or the remote server on which an AD Snapshot Browser is running.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Identity

Specifies the name of the computer or domain controller object to retrieve LAPS credentials from.

This parameter accepts several different name formats that influence the criteria used when searching AD for the target device. The supported name formats are as follows:

  • distinguishedName (begins with a CN=)
  • samAccountName (begins with a '$")
  • dnsHostName (contains at least one '.' character)
  • name (for all other inputs)
Type:String[]
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-IncludeHistory

Specifies that any older LAPS credentials on the computer object should also be displayed.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Port

Specifies the AD Snapshot Browser port to connect to.

Type:Nullable<T>[Int32]
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-RecoveryMode

This parameter provides a last-ditch option when it's no longer possible to decrypt a given LAPS credential via the normal mechanisms. For example, this might be necessary if a LAPS credential was encrypted against a group that has since been deleted.

Important

When specifying this parameter, you must be logged-in locally as a Domain Administrator on a writable domain controller.

Type:SwitchParameter
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String[]

Outputs

Object