<< Back to Script Library

LAPS – Get Account Password

Get's the local administrator password for the selected machines protected by the Local Administrator Password Solution (LAPS)
Version: 1.2.4
Created: 2020-09-27
Modified: 2021-10-29
Creator: trententtye00
Downloads: 104
The Script Copy Script Copied to clipboard
        Get password for LAPS protected machine

        Retrieves the password for a machine protected by the Local Administrator Password Solution

        . .\LAPS_GetPassword.ps1 -ComputerName W2019-001
        Gets the LAPS password for the target machine

        Designed to run as the CONSOLE context on the target machine so the user running the script requires full rights to get/set the password


        Created TTYE : 2020-09-27

    AUTHOR: Trentent Tye
Param (
    [Parameter(Mandatory=$true,HelpMessage='Enter the SamAccountName of the machine')][ValidateNotNullOrEmpty()]  [string]$ComputerName

#Use native ADSI queries to avoid using ActiveDirectory powershell modules (which might not be installed on the target machines)
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher.Filter = "(&(objectCategory=Computer)(SamAccountname=$($COMPUTERNAME)`$))"
$objSearcher.SearchScope = "Subtree"
$ComputerObj = $objSearcher.FindOne()
$password = $ComputerObj.Properties["ms-Mcs-AdmPwd"]

#find local administrator account
$account = Get-WmiObject -ComputerName $ComputerName -Class Win32_UserAccount -Filter "LocalAccount='True' And Sid like '%-500'"

#find password expiration for LAPS account
$PasswordExpiration = $([datetime]::FromFileTime([convert]::ToInt64($ComputerObj.Properties['ms-MCS-AdmPwdExpirationTime'],10)))

Write-Output "Account          : $($account.caption)"
Write-Output "Password         : $password"
Write-Output "`nPassword Expires : $PasswordExpiration"