Reset-LapsAdministratorPassword.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
<#
.SYNOPSIS
Reset the local administrator password using LAPS.
 
.DESCRIPTION
This function sets the LAPS password expiration for a target computer to a date and time in the past (now minus one day).
After which a group policy refresh is called to allow the LAPS group policy client-side extension to change
the password.
 
The LAPS password expiration attribute, ms-Mcs-AdmPwdExpirationTime, is based on local time zone. Due to the
possible difference between the timezone of the target computer and the executing computer, the function
sets the password expiration to one day before right now.
 
The function must be called from an account that has the privilige to change the ms-Mcs-AdmPwdExpirationTime
attribute in Active Directory.
 
The function attempts to make the change on a domain controller in the site where the computer resides.
 
.PARAMETER ComputerName
Enter a computer name.
 
.EXAMPLE
Reset-LapsAdministratorPassword -ComputerName DRONEPC01
 
.NOTES
Created by: Jason Wasser @wasserja
Modified: 7/13/2017 10:08:11 AM
 
#>

#requires -modules ActiveDirectory
function Reset-LapsAdministratorPassword {
    [CmdletBinding()]
    param (
        [parameter(
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)]
        [string[]]$ComputerName = $env:COMPUTERNAME,
        [System.Management.Automation.PSCredential]$Credential = [System.Management.Automation.PSCredential]::Empty
    )
    
    begin {

        function Get-ADSitebyComputerName {
            param (
                $SiteNameRegistryKey = 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\',
                $SiteNameRegistryValue = 'DynamicSiteName'
            )
            $ADSiteName = (Get-Item -Path $SiteNameRegistryKey).GetValue($SiteNameRegistryValue)
            $ADSiteName
        }
    }
    
    process {
        $ErrorActionPreference = 'Stop'
        $LapsPasswordExpirationAttribute = 'ms-Mcs-AdmPwdExpirationTime'
        foreach ($Computer in $ComputerName) {
            try {
                
                Write-Verbose -Message "Establishing remote session on $Computer"
                $Session = New-PSSession -ComputerName $Computer -Credential $Credential
                Write-Verbose "Successfully established session with $($Session.ComputerName)"

                Write-Verbose -Message "Getting Active Directory site of $Computer"
                $ADSiteName = Invoke-Command -Session $Session -ScriptBlock ${function:Get-ADSitebyComputerName}
                Write-Verbose -Message "$Computer is in Active Directory Site $ADSiteName"

                Write-Verbose -Message "Locating domain controller in AD site $ADSiteName"
                $ADDomainController = Get-ADDomainController -Discover -SiteName $ADSiteName
                Write-Verbose -Message "Located domain controller $($ADDomainController.Name)"

                Write-Verbose -Message "Setting LAPS password expiration attribute $LapsPasswordExpirationAttribute on AD Server $($ADDomainController.Name) for $Computer."
                Set-ADComputer -Identity $Computer -Replace @{"$LapsPasswordExpirationAttribute" = $(Get-Date).AddDays(-1).Ticks} -Credential $Credential
                Write-Verbose -Message "The LAPS password expiration attribute for $Comptuer has been set to $((Get-ADcomputer -Identity $Computer -Properties $LapsPasswordExpirationAttribute).$LapsPasswordExpirationAttribute)"

                Write-Verbose -Message "Invoking group policy update on $Computer to force LAPS to change the password."
                Invoke-Command -Session $Session -ScriptBlock {gpupdate.exe /target:computer}
                Write-Verbose -Message "Group policy refresh has been initiated on $Computer"

                Write-Verbose -Message "Removing remote session on $Computer"
                Remove-PSSession -Session $Session

            }
        
            catch {
                Write-Error -Message $_.Exception
                if ($Session.Name) {
                    Remove-PSSession -Session $Session
                }
            }
        }
    }
    
    end {
    }
}