LAPS

#powershell

Group Policy

Changing local administrator password in all the machines is a difficult task.
This is usually done through Group Policies Preferences.
The passwords are propagated through XML files via the SYSVOL directory, and the password is encrypted with the AES256 encryption.
Microsoft published this key in the documentation. Hence this method is considered insecure.

Local administrator password solution was introduced as a secure way of changing local administrator password on workstations.
Computer objects have LAPS attribute:
- ms-Mcs-AdmPwd: confidential attribute that stores create text administrator password.
- ms-Mcs-AdmPwdExpirationTime: contains the password expiration time.
C:\Program Files\LAPS\CSE\AdmPwd.dll will be present if LAPS is enabled on the target workstation.
Extended rights can be enumerated using laps powershell commands

# This will print which pricipal has LAPS extended rights over MyOU 
Find-AdmPwdExtendedRights -Identity "MyOU"

After compromising the user which holds LAPS extended rights over the OU, we print the password.

Get-AdmPwdPassword -ComputerName mycomputer

Last updated 11 months ago