I think you'd use the Get-ADComputer cmdlet and verity that the ms-Mcs-AdmPwd property is present on the computer object.
Post verification LAPS client intallation
Recently we implemented Microsoft LAPS (Local Admin Password Solution) in the enterprise. Now, we would like to figure out how we can check multiple servers to see which ones have LAPS installed and servers we potentially missed installing LAPS. Is there a third-party app or script? We do not want to go through the manual one at a time as it will be so much time.
3 answers
Sort by: Most helpful
-
-
Gary Reynolds 9,391 Reputation points
2022-05-15T10:33:26.677+00:00 Hi @Razzi29
The simplest method to check that a computer has registered a LAPS password is the query below, it will return all computer objects that don't have a LAPS password set. As this query uses the time the password was set, it can be used by a user without permissions to see the LAPS password.
(&(objectclass=computer)(!ms-Mcs-AdmPwdExpirationTime=*))
Gary.
-
Razzi29 311 Reputation points
2022-05-16T15:13:24.88+00:00 @Gary Reynolds do I run this script on a domain controller and if so, do I just run the script as posted or I need to use the Get-ADComputer with it? Thanks