Reading of LAPS passwords?
jsdhasfedssad opened this issue · comments
Are you planning to implement reading of LAPS passwords? Or can I read that already using the command "getObjectAttributes"? I tried reading the attribute "ms-mcs-AdmPwd" but either you do not collect that or it is not there since I do not have LAPS enabled.
You can use getObjectAttributes with ms-mcs-AdmPwd
to read a LAPS password on a computer object that has LAPS installed of course. You also need to have All Extended rights permissions on the object (by default for domain Admins). In order to check if LAPS is installed as a simple user you can query ms-mcs-AdmPwdExpirationTime
and see if there is any result.
More information: https://adsecurity.org/?p=3164
Good. You write that checking "ms-mcs-AdmPwdExpirationTime" can output a result. However, when I try this I get an error. Either this property cannot be used in the way you say or something is broken. I get the same error when checking "ms-mcs-AdmPwd" but I can't tell if that is due to me not having LAPS installed or your tool being broken.
It means that those attributes are not part of the schema of your AD. Maybe because you didn't install LAPS on your AD?