<< Back to Script Library

LAPS – Reset Account Password

Resets the password assigned to the Local Administrator Password Solution account
Version: 1.3.5
Created: 2020-09-27
Modified: 2021-10-29
Creator: trententtye00
Downloads: 25
Tags:
The Script Copy Script Copied to clipboard
<#
    .SYNOPSIS
        Sets a new password for LAPS protected machine

    .DESCRIPTION
        Sets a new password password for a machine protected by the Local Administrator Password Solution

    .PARAMETER ComputerName
        Specify the computer name of the target machine to reset the password

    .EXAMPLE
        . .\LAPS_ResetPassword.ps1 -ComputerName W2019-001
        Gets the LAPS password for the target machine

    .NOTES
        Designed to run as the CONSOLE context so the user requires rights to get/set the password

    .CONTEXT
        Console

    .MODIFICATION_HISTORY
        Created TTYE : 2020-09-27


    AUTHOR: Trentent Tye
#>
[CmdLetBinding()]
Param (
    [Parameter(Mandatory=$true,HelpMessage='Enter the SamAccountName of the machine')][ValidateNotNullOrEmpty()]  [string]$ComputerName
)


#Use native ADSI queries to avoid using ActiveDirectory powershell modules (which might not be installed on the target machines)
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher.Filter = "(&(objectCategory=Computer)(SamAccountname=$($COMPUTERNAME)`$))"
$objSearcher.SearchScope = "Subtree"
$ComputerObj = $objSearcher.FindOne()
$oldPassword = $ComputerObj.Properties["ms-Mcs-AdmPwd"]

#ADSI object has put method to update AD Attribute
$ADSICompObj = [adsi]$ComputerObj.Path
$password = $ComputerObj.Properties["ms-Mcs-AdmPwd"]
$ADSICompObj.Put("ms-Mcs-AdmPwdExpirationTime","0")
#update attribute
$ADSICompObj.SetInfo()

#tell LAPS to query AD for expiration time and set new password
Invoke-Command -ComputerName $ComputerName -ScriptBlock { Start-Process -FilePath gpupdate.exe -ArgumentList @("/Target:Computer") -Wait -WindowStyle Hidden }

#requery AD for updated attributes
$ComputerObj = $objSearcher.FindOne()
$newPassword = $ComputerObj.Properties["ms-Mcs-AdmPwd"]

if ($newPassword -ne $oldPassword) {
    Write-Output "LAPS Account password reset"
} else {
    Write-Output "Password update failed."
}

##It might be worth enabling LAPS verbose logging, gpupdate, and then look in the log for validation that password was updated, then disable logging, gpupdate.