0 votes

We use Server 2022 Active Directory Domain Services with the new LAPS Password Management system. Access to the old ms-Mcs-AdmPwd is no longer a valid option for displaying the LAPS password. The new attributes, all starting with ms-Laps, have brought a significant change. The password is now in binary format, which unfortunately can not be displayed on the ADaxes web interface.

Besides using ADUC or Active Directory Administrator Center, the only method I have found is the PowerShell get-lapsadpassword command. This option is not a suitable option for my support staff who need access to the LAPS Password via ADaxes

Just a little history - I have been using Adaxes and LAPS since 2012.

by (60 points)

1 Answer

0 votes
by (294k points)

Hello George,

Unfortunately, here is no other option. Using a PowerShell script is the only one for now. However, we have the feature in our TODO list.

0

We created a custom command with input of a computer object to get LAPS information

Helpdesk need to select a machine and then this PowerShell code is executed

$computer = Get-AdmComputer "%name%" -Properties msLAPS-PasswordExpirationTime
$pass = (Get-LapsADPassword $computer -AsPlainText).Password

if($computer.'msLAPS-PasswordExpirationTime' -ne $null){ 
    $expire = ($([datetime]::FromFileTime([convert]::ToInt64($computer.'msLAPS-PasswordExpirationTime',10)))).ToString("yyyy-MM-dd HH:mm:ss")
    } else{
        $expire = Get-Date
    }

if($pass -eq $null){ $pass = "AD attribute value is empty" }

#$Context.LogMessage("$computer", "Information")
$Context.LogMessage("LAPS password: " + $pass, "Information")
$Context.LogMessage("Will expire: " + $expire, "Information")
0

Hello,

As long as the computer is the target object of the custom command, there is no need to request it in the script. Here is the version of the script you can use:

$pass = Get-LapsADPassword "%distinguishedName%" -AsPlainText

if($pass -eq $NULL)
{
    $Context.LogMessage("AD attribute value is empty", "Information")
    return
}

# Get LAPS password expiration date
try
{
    $passwordExpiration = $Context.TargetObject.Get("msLAPS-PasswordExpirationTime")
    $passwordExpirationTime = [DateTime]::FromFileTime([Int64]::Parse($passwordExpiration))
}
catch
{
    $passwordExpirationTime = "No expiration date specified"
}

# Output results
$Context.LogMessage("LAPS password: " + $pass.Password, "Information")
$Context.LogMessage("Will expire: $passwordExpirationTime", "Information")

Related questions

0 votes
1 answer

I'd like to run code against the Adaxes service but need to pass my Admin credentials. How do I send different creds than the current user?

asked Jul 27, 2020 by ComputerHabit (790 points)
0 votes
1 answer

Hi , I would like to know that is there any API service, where we can work on objects inside Adaxes tool? Preferbly REST API?

asked Nov 6, 2019 by Anil (20 points)
0 votes
1 answer

We need to know specifically for self service password management what level of access in AD do I specifically need.

asked May 9 by justinspring (20 points)
0 votes
1 answer

This note is found in the documentation on how to configure allowed domains in Adaxes 2023. Allowed domain names can only be selected from the alternative UPN suffixes for on- ... required to pick up the change, or is there another way to trigger the update?

asked Jan 31, 2023 by dtb147 (290 points)
0 votes
1 answer

Recently, Microsoft deprecated use of the remote PS sessions using version 1. We have since converted all of our scripts to version 2, but our nightly staff ... { # Close the remote session and release resources Disconnect-ExchangeOnline -Confirm:$false }

asked Nov 2, 2022 by MShep (80 points)
3,588 questions
3,277 answers
8,303 comments
548,084 users