question

Razzi29 avatar image
0 Votes"
Razzi29 asked RichMatheisen-8856 commented

Post verification LAPS client intallation

Recently we implemented Microsoft LAPS (Local Admin Password Solution) in the enterprise. Now, we would like to figure out how we can check multiple servers to see which ones have LAPS installed and servers we potentially missed installing LAPS. Is there a third-party app or script? We do not want to go through the manual one at a time as it will be so much time.

windows-serverwindows-server-powershellwindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

I think you'd use the Get-ADComputer cmdlet and verity that the ms-Mcs-AdmPwd property is present on the computer object.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi @Razzi29

The simplest method to check that a computer has registered a LAPS password is the query below, it will return all computer objects that don't have a LAPS password set. As this query uses the time the password was set, it can be used by a user without permissions to see the LAPS password.

 (&(objectclass=computer)(!ms-Mcs-AdmPwdExpirationTime=*))

Gary.





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Razzi29 avatar image
0 Votes"
Razzi29 answered RichMatheisen-8856 commented

@GaryReynolds do I run this script on a domain controller and if so, do I just run the script as posted or I need to use the Get-ADComputer with it? Thanks

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What @GaryReynolds posted was a LDAP filter string. You can use that on the Get-ADComputer cmdlet.

No need to run it on a DC.

0 Votes 0 ·