With the recent change in LAPS How do we access the new ms-LAPS Attributes in Adaxes

Question

We use Server 2022 Active Directory Domain Services with the new LAPS Password Management system. Access to the old ms-Mcs-AdmPwd is no longer a valid option for displaying the LAPS password. The new attributes, all starting with ms-Laps, have brought a significant change. The password is now in binary format, which unfortunately can not be displayed on the ADaxes web interface.

Besides using ADUC or Active Directory Administrator Center, the only method I have found is the PowerShell get-lapsadpassword command. This option is not a suitable option for my support staff who need access to the LAPS Password via ADaxes

Just a little history - I have been using Adaxes and LAPS since 2012.

Answer 1

Hello George,

Unfortunately, here is no other option. Using a PowerShell script is the only one for now. However, we have the feature in our TODO list.

Comments

We created a custom command with input of a computer object to get LAPS information

Helpdesk need to select a machine and then this PowerShell code is executed

$computer = Get-AdmComputer "%name%" -Properties msLAPS-PasswordExpirationTime
$pass = (Get-LapsADPassword $computer -AsPlainText).Password

if($computer.'msLAPS-PasswordExpirationTime' -ne $null){ 
    $expire = ($([datetime]::FromFileTime([convert]::ToInt64($computer.'msLAPS-PasswordExpirationTime',10)))).ToString("yyyy-MM-dd HH:mm:ss")
    } else{
        $expire = Get-Date
    }

if($pass -eq $null){ $pass = "AD attribute value is empty" }

#$Context.LogMessage("$computer", "Information")
$Context.LogMessage("LAPS password: " + $pass, "Information")
$Context.LogMessage("Will expire: " + $expire, "Information")

---

Hello,

As long as the computer is the target object of the custom command, there is no need to request it in the script. Here is the version of the script you can use:

$pass = Get-LapsADPassword "%distinguishedName%" -AsPlainText

if($pass -eq $NULL)
{
    $Context.LogMessage("AD attribute value is empty", "Information")
    return
}

# Get LAPS password expiration date
try
{
    $passwordExpiration = $Context.TargetObject.Get("msLAPS-PasswordExpirationTime")
    $passwordExpirationTime = [DateTime]::FromFileTime([Int64]::Parse($passwordExpiration))
}
catch
{
    $passwordExpirationTime = "No expiration date specified"
}

# Output results
$Context.LogMessage("LAPS password: " + $pass.Password, "Information")
$Context.LogMessage("Will expire: $passwordExpirationTime", "Information")