Get-LapsADPassword
Queries Windows Local Administrator Password Solution (LAPS) credentials from Active Directory (AD) on a specified AD computer or domain controller object.
Get-LapsADPassword
[-Credential <PSCredential>]
[-DecryptionCredential <PSCredential>]
[-IncludeHistory]
[-AsPlainText]
[-Identity] <String[]>
[<CommonParameters>]
Get-LapsADPassword
[-Credential <PSCredential>]
[-DecryptionCredential <PSCredential>]
[-IncludeHistory]
[-AsPlainText]
[-Identity] <String[]>
-Domain <String>
[<CommonParameters>]
Get-LapsADPassword
[-Credential <PSCredential>]
[-DecryptionCredential <PSCredential>]
[-IncludeHistory]
[-AsPlainText]
[-Identity] <String[]>
-DomainController <String>
[<CommonParameters>]
Get-LapsADPassword
[-Credential <PSCredential>]
[-DecryptionCredential <PSCredential>]
[-IncludeHistory]
[-AsPlainText]
-Port <Int32>
[-Identity] <String[]>
[-DomainController <String>]
[<CommonParameters>]
Get-LapsADPassword
[-IncludeHistory]
[-AsPlainText]
[-RecoveryMode]
[-Identity] <String[]>
[<CommonParameters>]
Get-LapsADPassword
[-IncludeHistory]
[-AsPlainText]
[-RecoveryMode]
-Port <Int32>
[-Identity] <String[]>
[<CommonParameters>]
The Get-LapsADPassword
cmdlet allows administrators to retrieve LAPS passwords and password
history for an Active Directory computer or domain controller object. Depending on policy
configuration, LAPS passwords may be stored in either clear-text form or encrypted form. The
Get-LapsADPassword
cmdlet automatically decrypts encrypted passwords.
The Get-LapsADPassword
cmdlet may also be used to connect to a mounted AD
snapshot.
The Verbose parameter may be used to get additional information about the cmdlet's operation.
Get-LapsADPassword LAPSCLIENT
ComputerName : LAPSCLIENT
DistinguishedName : CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com
Account : Administrator
Password : System.Security.SecureString
PasswordUpdateTime : 4/9/2023 10:03:41 AM
ExpirationTimestamp : 4/14/2023 10:03:41 AM
Source : CleartextPassword
DecryptionStatus : NotApplicable
AuthorizedDecryptor : NotApplicable
This example demonstrates querying the current LAPS password for the LAPSCLIENT
computer in the
current domain. The password was stored in AD in clear-text form and didn't require decryption. The
password was returned wrapped in a SecureString object.
Get-LapsADPassword -Identity LAPSCLIENT -DomainController lapsDC -AsPlainText
ComputerName : LAPSCLIENT
DistinguishedName : CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com
Account : Administrator
Password : k8P]Xl5T-ky!aj4s21el3S#.x44!e{8+,{L!M
PasswordUpdateTime : 4/9/2023 10:03:41 AM
ExpirationTimestamp : 4/14/2023 10:03:41 AM
Source : CleartextPassword
DecryptionStatus : NotApplicable
AuthorizedDecryptor : NotApplicable
This example demonstrates querying the current LAPS password on a specific domain controller
(lapsDC
), for the LAPSCLIENT
computer, requesting that the password be displayed in clear-text
form. The password was stored in AD in clear-text form and didn't require decryption. The password
was returned in clear-text form.
Get-LapsADPassword -Identity LAPSCLIENT2 -Domain laps.com -AsPlainText -IncludeHistory
ComputerName : LAPSCLIENT2
DistinguishedName : CN=LAPSCLIENT2,OU=LapsTestEncryptedOU,DC=laps,DC=com
Account : Administrator
Password : q64!7KI3BOe/&S%buM0nBaW{B]261zN5L0{;{
PasswordUpdateTime : 4/9/2023 9:39:38 AM
ExpirationTimestamp : 4/14/2023 9:39:38 AM
Source : EncryptedPassword
DecryptionStatus : Success
AuthorizedDecryptor : LAPS\LAPS Admins
ComputerName : LAPSCLIENT2
DistinguishedName : CN=LAPSCLIENT2,OU=LapsTestEncryptedOU,DC=laps,DC=com
Account : Administrator
Password : O{P61q6bu(3kZ6&#p2y.&F$cWd;0dm8!]Wl5j
PasswordUpdateTime : 4/9/2023 9:38:10 AM
ExpirationTimestamp :
Source : EncryptedPasswordHistory
DecryptionStatus : Success
AuthorizedDecryptor : LAPS\LAPS Admins
This example demonstrates querying the current LAPS password for the LAPSCLIENT2
computer, in a
specific AD domain (laps.com
), requesting that the password be displayed in
clear-text form. The password was stored in AD in encrypted form and was successfully
decrypted.
Note
ExpirationTimestamp is always empty for any older LAPS passwords returned.
Get-LapsADPassword -Identity lapsDC.laps.com -AsPlainText
ComputerName : LAPSDC
DistinguishedName : CN=LAPSDC,OU=Domain Controllers,DC=laps,DC=com
Account : Administrator
Password : 118y$rsw.3y58yG]on$Hii
PasswordUpdateTime : 4/9/2023 10:17:51 AM
ExpirationTimestamp : 4/19/2023 10:17:51 AM
Source : EncryptedDSRMPassword
DecryptionStatus : Success
AuthorizedDecryptor : LAPS\Domain Admins
This example demonstrates querying the current LAPS password for the lapsDC.laps.com
domain
controller, requesting that the password be displayed in clear-text form. The password was stored in
AD in encrypted form and was successfully decrypted.
Get-LapsADPassword LAPSDC
ComputerName : LAPSDC
DistinguishedName : CN=LAPSDC,OU=Domain Controllers,DC=laps,DC=com
Account :
Password :
PasswordUpdateTime : 4/9/2023 10:17:51 AM
ExpirationTimestamp : 4/19/2023 10:17:51 AM
Source : EncryptedDSRMPassword
DecryptionStatus : Unauthorized
AuthorizedDecryptor : LAPS\Domain Admins
This example demonstrates querying the current LAPS password for the LAPSDC
domain controller when
the user doesn't have permissions to decrypt the LAPS DSRM password.
Get-LapsADPassword LAPSLEGACYCLIENT -AsPlainText
ComputerName : LAPSLEGACYCLIENT
DistinguishedName : CN=LAPSLEGACYCLIENT,OU=LegacyLapsOU,DC=laps,DC=com
Account :
Password : Z#x}&7BluHf3{r+C218
PasswordUpdateTime :
ExpirationTimestamp : 5/14/2023 1:55:39 PM
Source : LegacyLapsCleartextPassword
DecryptionStatus : NotApplicable
AuthorizedDecryptor : NotApplicable
This example demonstrates querying the current LAPS password for the 'LAPSLEGACYCLIENT' machine which is currently running in legacy LAPS emulation mode.
Note
When querying legacy LAPS-style passwords, the Account and PasswordUpdateTime fields are always unavailable.
Get-LapsADPassword -Identity LAPSCLIENT -Port 50000 -AsPlainText
ComputerName : LAPSCLIENT
DistinguishedName : CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com
Account : Administrator
Password : H6UycL[vj#zzTNVpS//G2{j&t9aO}k[K5l4)X
PasswordUpdateTime : 4/15/2023 6:51:45 AM
ExpirationTimestamp : 4/20/2023 6:51:45 AM
Source : CleartextPassword
DecryptionStatus : NotApplicable
AuthorizedDecryptor : NotApplicable
This example demonstrates querying an AD Snapshot browser instance for the current LAPS password for
the LAPSCLIENT
machine. This example assumes that that the snapshot browser has been previously
started on the local machine listening on an LDAP port of 50000
.
Specify this parameter to return the LAPS passwords in clear-text format. The default behavior is to return the LAPS passwords wrapped in a .NET SecureString object.
Important
Using this parameter exposes the returned clear-text password to casual viewing and may pose a security risk. This parameter should be used with caution and only in support or testing situations.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies a set of credentials to use when querying AD for the LAPS credentials. If not specified, the current user's credentials are used.
Type: | PSCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies a set of credentials to use when decrypting encrypted LAPS credentials. If not specified, the current user's credentials are used.
Type: | PSCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the name of the domain to connect to.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the name of the domain controller to connect to, or the remote server on which an AD Snapshot Browser is running.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the name of the computer or domain controller object to retrieve LAPS credentials from.
This parameter accepts several different name formats that influence the criteria used when searching AD for the target device. The supported name formats are as follows:
- distinguishedName (begins with a
CN=
) - samAccountName (begins with a '$")
- dnsHostName (contains at least one '.' character)
- name (for all other inputs)
Type: | String[] |
Position: | 0 |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Specifies that any older LAPS credentials on the computer object should also be displayed.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Specifies the AD Snapshot Browser port to connect to.
Type: | Nullable<T>[Int32] |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
This parameter provides a last-ditch option when it's no longer possible to decrypt a given LAPS credential via the normal mechanisms. For example, this might be necessary if a LAPS credential was encrypted against a group that has since been deleted.
Important
When specifying this parameter, you must be logged-in locally as a Domain Administrator on a writable domain controller.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
String[]