Get-LapsPassword.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
<#
.SYNOPSIS
Get the local administrator password for a specified computer stored in Active Directory by LAPS.
 
.DESCRIPTION
Get the local administrator password for a specified computer stored in Active Directory by
the Local Administrator Password Solution.
 
The LAPS tool periodically changes the local administrator account on a computer and stores the
password in an Active Directory attribute in the computer account.
 
.PARAMETER ComputerName
Enter a name of a computer
 
.PARAMETER AsSecureString
Optionally retrieve and convert the password to a secure string to be used with a
credential object.
 
.PARAMETER IncludeLocalAdministratorAccount
Optionally include the logon name of the local administrator account.
 
.PARAMETER Credential
Optionally provide an alternate credential for accessing the privileged data from Active
Directory.
 
.EXAMPLE
Get-LapsPassword
 
ComputerName LapsPassword
------------ ------------
COMPUTER01 35J3J2J3#2j
 
.EXAMPLE
Get-LapsPassword -ComputerName COMPUTER01,COMPUTER02,COMPUTER03
 
ComputerName LapsPassword
------------ ------------
COMPUTER01 35J3J2J3#2j
COMPUTER02 DJEJ#F*&fX
COMPUTER03 ACCESS DENIED
 
.EXAMPLE
Get-LapsPassword -ComputerName COMPUTER01
 
ComputerName LapsPassword
------------ ------------
COMPUTER01 System.Security.SecureString
 
.NOTES
Created by: Jason Wasser @wasserja
Modified: 7/14/2017 04:05:51 PM
 
.LINK
https://technet.microsoft.com/en-us/mt227395.aspx
#>

#requires -modules ActiveDirectory
function Get-LapsPassword {
    [CmdletBinding()]
    param (
        [parameter(ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)]
        [string[]]$ComputerName = $env:COMPUTERNAME,
        [switch]$AsSecureString,
        [switch]$IncludeLocalAdministratorAccountName,
        [System.Management.Automation.PSCredential]$Credential = [System.Management.Automation.PSCredential]::Empty
    )
    
    begin {
    }
    
    process {
        $ErrorActionPreference = 'Stop'
        $LapsPasswordAttributeName = 'ms-Mcs-AdmPwd'

        foreach ($Computer in $ComputerName) {
            try {

                # Gather local administrator account information if specified
                if ($IncludeLocalAdministratorAccountName) {
                    Write-Verbose -Message "Getting local administrator account information from $Computer"
                    try {
                        $LocalAdministratorAccount = $LocalAdministratorAccount = Get-WmiObject -ComputerName $Computer -Class Win32_UserAccount -Filter "LocalAccount='True' And Sid like '%-500'" -Credential $Credential
                        $LocalAdministratorAccountName = $LocalAdministratorAccount.Name
                    }
                    catch [System.UnauthorizedAccessException] {
                        Write-Warning -Message $_.Exception.Message
                        $LocalAdministratorAccountName = '-ACCESS DENIED-'
                    }
                    catch {
                        Write-Warning -Message $_.Exception.Message
                        $LocalAdministratorAccountName = '-UNKNOWN-'
                    }
                }


                # Gather LAPS password
                Write-Verbose -Message "Getting LAPS password information for $Computer"
                if ($Credential.UserName -ne $null) {
                    $ADComputer = Get-ADComputer -Identity $Computer -Properties $LapsPasswordAttributeName -Credential $Credential
                }
                else {
                    $ADComputer = Get-ADComputer -Identity $Computer -Properties $LapsPasswordAttributeName
                }
                
                if ($ADComputer.$LapsPasswordAttributeName) {
                    if ($AsSecureString) {
                        $LapsPassword = ConvertTo-SecureString -String $ADComputer.$LapsPasswordAttributeName -AsPlainText -Force
                    }
                    else {
                        $LapsPassword = $ADComputer.$LapsPasswordAttributeName
                    }
                }
                else {
                    $LapsPassword = '-ACCESS DENIED-'
                }
            
                
                $LapsPasswordProperties = [ordered]@{
                    ComputerName = $Computer
                    LapsPassword = $LapsPassword
                }
                if ($IncludeLocalAdministratorAccountName) {
                    $LapsPasswordProperties.Add('Username', $LocalAdministratorAccountName)
                }
                $LapsPassword = New-Object -TypeName PSCustomObject -Property $LapsPasswordProperties
                $LapsPassword

            }
            catch {
                Write-Error -Message $_.Exception.Message
            }
        }
    }
    
    end {
    }
}