LAPS

  • 87 Views
  • Last Post 02 March 2017
kitaab posted this 02 March 2017

We have added LAPS and now all local admin password are accessible in AD.

The GPO Sets the password every 2 days.

 

however we have a situation whenere in sometime a VM is to be restored form backup for lets say a week ago. Since the VM is restored as a workgroup machine the only account we can login as is the locla admin account, however because Laps resets the password every 2 days we actually do not have the correct password for the restored VM.

How can we have the history of password in LAPS 

or how do you guys manage such situations.

Order By: Standard | Newest | Votes
PARRIS posted this 02 March 2017

We put the LAPS information into a SQL DB, this covers your scenario, plus deleted machine accounts.

 

 

Regards,

 

Mark Parris

 

Cloud | Identity | Security

 

MVP Enterprise Mobility | MCM Directory Services

Mobile:

+44 7801 690596


E-mail: mark@xxxxxxxxxxxxxxxx


Twitter

| Blog

| LinkedIn

| Skype

 

show

kitaab posted this 02 March 2017

do you mean adding LAPS Information in AD  + SQL How do you do that 


show

kurtbuff posted this 02 March 2017

The script below is simplistic (nothing so fancy as a SQL database, just a CSV file), but it works for me, and I take the opportunity to gather some other info as well, as you can see. LastLogonDate and LastLogonTimeStamp are somewhat redundant, but I wrote this mostly as an exercise in timestamp format manipulation.
We expire passwords much more slowly - every 30 days.
get-adcomputer -filter * -properties operatingsystem, ms-mcs-admpwd, ms-mcs-admpwdexpirationtime, LastLogonDate, LastLogontimeStamp | select name, operatingsystem, ms-mcs-admpwd, (@{Name="PasswordExpirationDate"; Expression={[DateTime]::FromFileTime($."ms-mcs-admpwdexpirationtime").ToString("u")}}), (@{Name="LastLogonDate"; Expression={$.LastLogonDate.ToString("u")}}), (@{Name="LastLogon"; Expression={[DateTime]::FromFileTime($_.LastLogonTimeStamp).ToString("u")}}) | sort operatingsystem, lastlogon | export-csv -notype \example.com\us\infrastructureTeam\laps\<yyyy-mm-dd>-passwords.csv
Kurt


show

Close