This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Recently we implemented Microsoft LAPS (Local Admin Password Solution) in the enterprise. Now, we would like to figure out how we can check multiple servers to see which ones have LAPS installed and servers we potentially missed installing LAPS. Is there a third-party app or script? We do not want to go through the manual one at a time as it will be so much time.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
I think you'd use the Get-ADComputer cmdlet and verity that the ms-Mcs-AdmPwd property is present on the computer object.
Hi @Razzi29
The simplest method to check that a computer has registered a LAPS password is the query below, it will return all computer objects that don't have a LAPS password set. As this query uses the time the password was set, it can be used by a user without permissions to see the LAPS password.
(&(objectclass=computer)(!ms-Mcs-AdmPwdExpirationTime=*))
Gary.
@Gary Reynolds do I run this script on a domain controller and if so, do I just run the script as posted or I need to use the Get-ADComputer with it? Thanks
What @Gary Reynolds posted was a LDAP filter string. You can use that on the Get-ADComputer cmdlet.
No need to run it on a DC.