Adaxes

msLAPS-EncryptedPassword attribute not being decrypted in view

0 votes

We are implementing the new version of LAPS built into Windows 10 with KB5025221. I've added the attribute to the Management Views for Computers, but the password is not being decrypted. I've added the Adaxes Service Account to permissions for LAPS password decryption as well. image.png

image.png

The old LAPS Attribute (ms-Mcs-AdmPwd) is not available, as we have not loaded it into AD and plan to use the latest implementation of LAPS.

by (20 points)
0

I've been playing around with a powershell way of doing it. Please use at your own risk

A few things:

  1. -AsPlainText option is for Encrypted Passwords.
  2. This displays it to the user and also logs it. So you'll see the password in the logs. Unless you want to turn off logging for Powershell scripts.
Import-Module Adaxes

# Get computer domain name
$domainName = $Context.GetObjectDomain("%distinguishedName%")

$searchresults = Get-LapsADPassword -identity "%cn%" -AsPlainText  



$name = $SearchResults.ComputerName 
$password = $SearchResults.Password
$passupdate = $SearchResults.PasswordUpdateTime

$Context.LogMessage("ComputerName: " + $name, "Information")
$Context.LogMessage("Password: " + $password, "Information")
$Context.LogMessage("Last Password update: " + $passupdate, "Information")

As another option I was thinking of just writing to a file on a server and cleaning up the directory daily until I can find a better option to not to display this and not Log the password.

by (1.4k points)

1 Answer

0 votes
by (288k points)

Hello,

Thank you for the provided details. Unfortunately, there is no possibility to achieve the desired with the update. We keep monitoring the possibilities provided by LAPS. Should there be any updates, we will investigate existing approaches that could be used in Adaxes.

Related questions

0 votes
1 answer
Deleting an AD group is not being detected as a change of membership in its parent groups.

I created a group Business Rule that triggers "After adding or removing a member from a group". On its Activity Scope I added a test group, and set it for "The group ... does not trigger. What should I do to make the BR detect this (admittedly rare) case?

asked Mar 16, 2023 by alex.vanderwoude (60 points)
0 votes
1 answer
Not able to view account details in helpdesk web interface

Hello, I am not getting email responses from support because of a technical problem. In the meantime, I figured for I would post here. I am using the new heldesk web ... how the helpdesk interface is configured and what the user's screen looks like: Thanks.

asked Jul 20, 2018 by Jasonmh (540 points)
0 votes
1 answer
Passwords not changed in 365 days, blank attribute

I'm trying to modify this report to only output results where employeeType equals the values below. It reports fine. I would also like to include where employeeType ... = "(&" + $filterUsers + $filterPasswordLastSet + $customAttribute + $enabledUser + ")"

asked Mar 28 by tromanko (330 points)
0 votes
1 answer
Adding Attribute After Being Built

I'm trying to update mailNickname to cas_{ but nothing seems to work. This is my completed script of everything working but changing the mailNickname at the ... "mailNickname", $cas) #$Context.SetModifiedPropertyValue("mailNickname", "cas_{") Wont work also

asked Jan 21, 2015 by 7efd721c8b (420 points)
0 votes
1 answer
Is there a way for Scheduled tasks to NOT automatically run after being enabled?

When I enable a scheduled task, instead of running at the scheduled time they all run imeadiately. This is not good behavior as changes are written in a way to reflect the ... is being enabled. I am hoping there is a powershell command to stop this behavoir.

asked Jul 10, 2023 by mightycabal (1.0k points)
3,538 questions
3,229 answers
8,224 comments
547,747 users