Get-LapsADPassword
Queries Windows Local Administrator Password Solution (LAPS) credentials from Active Directory (AD) on a specified AD computer or domain controller object.
Syntax
NormalMode (Default)
Get-LapsADPassword
[-Identity] <String[]>
[-Credential <PSCredential>]
[-DecryptionCredential <PSCredential>]
[-IncludeHistory]
[-AsPlainText]
[<CommonParameters>]
DomainMode
Get-LapsADPassword
[-Identity] <String[]>
-Domain <String>
[-Credential <PSCredential>]
[-DecryptionCredential <PSCredential>]
[-IncludeHistory]
[-AsPlainText]
[<CommonParameters>]
DomainControllerMode
Get-LapsADPassword
[-Identity] <String[]>
-DomainController <String>
[-Credential <PSCredential>]
[-DecryptionCredential <PSCredential>]
[-IncludeHistory]
[-AsPlainText]
[<CommonParameters>]
SnapshotBrowserMode
Get-LapsADPassword
[-Identity] <String[]>
-Port <Int32>
[-Credential <PSCredential>]
[-DecryptionCredential <PSCredential>]
[-IncludeHistory]
[-AsPlainText]
[-DomainController <String>]
[<CommonParameters>]
RecoveryMode
Get-LapsADPassword
[-Identity] <String[]>
[-IncludeHistory]
[-AsPlainText]
[-RecoveryMode]
[<CommonParameters>]
SnapshotBrowserRecoveryMode
Get-LapsADPassword
[-Identity] <String[]>
-Port <Int32>
[-IncludeHistory]
[-AsPlainText]
[-RecoveryMode]
[<CommonParameters>]
Description
The Get-LapsADPassword cmdlet allows administrators to retrieve LAPS passwords and password
history for an Active Directory computer or domain controller object. Depending on policy
configuration, LAPS passwords may be stored in either clear-text form or encrypted form. The
Get-LapsADPassword cmdlet automatically decrypts encrypted passwords.
The Get-LapsADPassword cmdlet may also be used to connect to a mounted AD
snapshot.
The Verbose parameter may be used to get additional information about the cmdlet's operation.
Examples
Example 1
Get-LapsADPassword LAPSCLIENT
ComputerName : LAPSCLIENT
DistinguishedName : CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com
Account : Administrator
Password : System.Security.SecureString
PasswordUpdateTime : 4/9/2023 10:03:41 AM
ExpirationTimestamp : 4/14/2023 10:03:41 AM
Source : CleartextPassword
DecryptionStatus : NotApplicable
AuthorizedDecryptor : NotApplicable
This example demonstrates querying the current LAPS password for the LAPSCLIENT computer in the
current domain. The password was stored in AD in clear-text form and didn't require decryption. The
password was returned wrapped in a SecureString object.
Example 2
Get-LapsADPassword -Identity LAPSCLIENT -DomainController lapsDC -AsPlainText
ComputerName : LAPSCLIENT
DistinguishedName : CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com
Account : Administrator
Password : k8P]Xl5T-ky!aj4s21el3S#.x44!e{8+,{L!M
PasswordUpdateTime : 4/9/2023 10:03:41 AM
ExpirationTimestamp : 4/14/2023 10:03:41 AM
Source : CleartextPassword
DecryptionStatus : NotApplicable
AuthorizedDecryptor : NotApplicable
This example demonstrates querying the current LAPS password on a specific domain controller
(lapsDC), for the LAPSCLIENT computer, requesting that the password be displayed in clear-text
form. The password was stored in AD in clear-text form and didn't require decryption. The password
was returned in clear-text form.
Example 3
Get-LapsADPassword -Identity LAPSCLIENT2 -Domain laps.com -AsPlainText -IncludeHistory
ComputerName : LAPSCLIENT2
DistinguishedName : CN=LAPSCLIENT2,OU=LapsTestEncryptedOU,DC=laps,DC=com
Account : Administrator
Password : q64!7KI3BOe/&S%buM0nBaW{B]261zN5L0{;{
PasswordUpdateTime : 4/9/2023 9:39:38 AM
ExpirationTimestamp : 4/14/2023 9:39:38 AM
Source : EncryptedPassword
DecryptionStatus : Success
AuthorizedDecryptor : LAPS\LAPS Admins
ComputerName : LAPSCLIENT2
DistinguishedName : CN=LAPSCLIENT2,OU=LapsTestEncryptedOU,DC=laps,DC=com
Account : Administrator
Password : O{P61q6bu(3kZ6&#p2y.&F$cWd;0dm8!]Wl5j
PasswordUpdateTime : 4/9/2023 9:38:10 AM
ExpirationTimestamp :
Source : EncryptedPasswordHistory
DecryptionStatus : Success
AuthorizedDecryptor : LAPS\LAPS Admins
This example demonstrates querying the current LAPS password for the LAPSCLIENT2 computer, in a
specific AD domain (laps.com), requesting that the password be displayed in
clear-text form. The password was stored in AD in encrypted form and was successfully
decrypted.
Note
ExpirationTimestamp is always empty for any older LAPS passwords returned.
Example 4
Get-LapsADPassword -Identity lapsDC.laps.com -AsPlainText
ComputerName : LAPSDC
DistinguishedName : CN=LAPSDC,OU=Domain Controllers,DC=laps,DC=com
Account : Administrator
Password : 118y$rsw.3y58yG]on$Hii
PasswordUpdateTime : 4/9/2023 10:17:51 AM
ExpirationTimestamp : 4/19/2023 10:17:51 AM
Source : EncryptedDSRMPassword
DecryptionStatus : Success
AuthorizedDecryptor : LAPS\Domain Admins
This example demonstrates querying the current LAPS password for the lapsDC.laps.com domain
controller, requesting that the password be displayed in clear-text form. The password was stored in
AD in encrypted form and was successfully decrypted.
Example 5
Get-LapsADPassword LAPSDC
ComputerName : LAPSDC
DistinguishedName : CN=LAPSDC,OU=Domain Controllers,DC=laps,DC=com
Account :
Password :
PasswordUpdateTime : 4/9/2023 10:17:51 AM
ExpirationTimestamp : 4/19/2023 10:17:51 AM
Source : EncryptedDSRMPassword
DecryptionStatus : Unauthorized
AuthorizedDecryptor : LAPS\Domain Admins
This example demonstrates querying the current LAPS password for the LAPSDC domain controller when
the user doesn't have permissions to decrypt the LAPS DSRM password.
Example 6
Get-LapsADPassword LAPSLEGACYCLIENT -AsPlainText
ComputerName : LAPSLEGACYCLIENT
DistinguishedName : CN=LAPSLEGACYCLIENT,OU=LegacyLapsOU,DC=laps,DC=com
Account :
Password : Z#x}&7BluHf3{r+C218
PasswordUpdateTime :
ExpirationTimestamp : 5/14/2023 1:55:39 PM
Source : LegacyLapsCleartextPassword
DecryptionStatus : NotApplicable
AuthorizedDecryptor : NotApplicable
This example demonstrates querying the current LAPS password for the 'LAPSLEGACYCLIENT' machine which is currently running in legacy LAPS emulation mode.
Note
When querying legacy LAPS-style passwords, the Account and PasswordUpdateTime fields are always unavailable.
Example 7
Get-LapsADPassword -Identity LAPSCLIENT -Port 50000 -AsPlainText
ComputerName : LAPSCLIENT
DistinguishedName : CN=LAPSCLIENT,OU=LapsTestOU,DC=laps,DC=com
Account : Administrator
Password : H6UycL[vj#zzTNVpS//G2{j&t9aO}k[K5l4)X
PasswordUpdateTime : 4/15/2023 6:51:45 AM
ExpirationTimestamp : 4/20/2023 6:51:45 AM
Source : CleartextPassword
DecryptionStatus : NotApplicable
AuthorizedDecryptor : NotApplicable
This example demonstrates querying an AD Snapshot browser instance for the current LAPS password for
the LAPSCLIENT machine. This example assumes that that the snapshot browser has been previously
started on the local machine listening on an LDAP port of 50000.
Parameters
-AsPlainText
Specify this parameter to return the LAPS passwords in clear-text format. The default behavior is to return the LAPS passwords wrapped in a .NET SecureString object.
Important
Using this parameter exposes the returned clear-text password to casual viewing and may pose a security risk. This parameter should be used with caution and only in support or testing situations.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Credential
Specifies a set of credentials to use when querying AD for the LAPS credentials. If not specified, the current user's credentials are used.
Parameter properties
| Type: | PSCredential |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
NormalMode
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
DomainMode
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
DomainControllerMode
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
SnapshotBrowserMode
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-DecryptionCredential
Specifies a set of credentials to use when decrypting encrypted LAPS credentials. If not specified, the current user's credentials are used.
Parameter properties
| Type: | PSCredential |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
NormalMode
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
DomainMode
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
DomainControllerMode
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
SnapshotBrowserMode
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Domain
Specifies the name of the domain to connect to.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
DomainMode
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-DomainController
Specifies the name of the domain controller to connect to, or the remote server on which an AD Snapshot Browser is running.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
DomainControllerMode
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Identity
Specifies the name of the computer or domain controller object to retrieve LAPS credentials from.
This parameter accepts several different name formats that influence the criteria used when searching AD for the target device. The supported name formats are as follows:
- distinguishedName (begins with a
CN=) - samAccountName (begins with a '$")
- dnsHostName (contains at least one '.' character)
- name (for all other inputs)
Parameter properties
| Type: | String[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | 0 |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-IncludeHistory
Specifies that any older LAPS credentials on the computer object should also be displayed.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Port
Specifies the AD Snapshot Browser port to connect to.
Parameter properties
| Type: | |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
SnapshotBrowserMode
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
SnapshotBrowserRecoveryMode
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-RecoveryMode
This parameter provides a last-ditch option when it's no longer possible to decrypt a given LAPS credential via the normal mechanisms. For example, this might be necessary if a LAPS credential was encrypted against a group that has since been deleted.
Important
When specifying this parameter, you must be logged-in locally as a Domain Administrator on a writable domain controller.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
RecoveryMode
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
SnapshotBrowserRecoveryMode
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.