Get-LapsPassword.ps1

<#
.SYNOPSIS
Get the local administrator password for a specified computer stored in Active Directory by LAPS.
 
.DESCRIPTION
Get the local administrator password for a specified computer stored in Active Directory by
the Local Administrator Password Solution.
 
The LAPS tool periodically changes the local administrator account on a computer and stores the
password in an Active Directory attribute in the computer account.
 
.PARAMETER ComputerName
Enter a name of a computer
 
.PARAMETER AsSecureString
Optionally retrieve and convert the password to a secure string to be used with a
credential object.
 
.PARAMETER IncludeLocalAdministratorAccount
Optionally include the logon name of the local administrator account.
 
.PARAMETER Credential
Optionally provide an alternate credential for accessing the privileged data from Active
Directory.
 
.EXAMPLE
Get-LapsPassword
 
ComputerName LapsPassword
------------ ------------
COMPUTER01 35J3J2J3#2j
 
.EXAMPLE
Get-LapsPassword -ComputerName COMPUTER01,COMPUTER02,COMPUTER03
 
ComputerName LapsPassword
------------ ------------
COMPUTER01 35J3J2J3#2j
COMPUTER02 DJEJ#F*&fX
COMPUTER03 ACCESS DENIED
 
.EXAMPLE
Get-LapsPassword -ComputerName COMPUTER01
 
ComputerName LapsPassword
------------ ------------
COMPUTER01 System.Security.SecureString
 
.NOTES
Created by: Jason Wasser @wasserja
Modified: 7/14/2017 04:05:51 PM
 
.LINK
https://technet.microsoft.com/en-us/mt227395.aspx
#>

#requires -modules ActiveDirectory
function Get-LapsPassword {
    [CmdletBinding()]
    param (
        [parameter(ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)]
        [string[]]$ComputerName = $env:COMPUTERNAME,
        [switch]$AsSecureString,
        [switch]$IncludeLocalAdministratorAccountName,
        [System.Management.Automation.PSCredential]$Credential = [System.Management.Automation.PSCredential]::Empty
    )
    
    begin {
    }
    
    process {
        $ErrorActionPreference = 'Stop'
        $LapsPasswordAttributeName = 'ms-Mcs-AdmPwd'

        foreach ($Computer in $ComputerName) {
            try {

                # Gather local administrator account information if specified
                if ($IncludeLocalAdministratorAccountName) {
                    Write-Verbose -Message "Getting local administrator account information from $Computer"
                    try {
                        $LocalAdministratorAccount = $LocalAdministratorAccount = Get-WmiObject -ComputerName $Computer -Class Win32_UserAccount -Filter "LocalAccount='True' And Sid like '%-500'" -Credential $Credential
                        $LocalAdministratorAccountName = $LocalAdministratorAccount.Name
                    }
                    catch [System.UnauthorizedAccessException] {
                        Write-Warning -Message $_.Exception.Message
                        $LocalAdministratorAccountName = '-ACCESS DENIED-'
                    }
                    catch {
                        Write-Warning -Message $_.Exception.Message
                        $LocalAdministratorAccountName = '-UNKNOWN-'
                    }
                }


                # Gather LAPS password
                Write-Verbose -Message "Getting LAPS password information for $Computer"
                if ($Credential.UserName -ne $null) {
                    $ADComputer = Get-ADComputer -Identity $Computer -Properties $LapsPasswordAttributeName -Credential $Credential
                }
                else {
                    $ADComputer = Get-ADComputer -Identity $Computer -Properties $LapsPasswordAttributeName
                }
                
                if ($ADComputer.$LapsPasswordAttributeName) {
                    if ($AsSecureString) {
                        $LapsPassword = ConvertTo-SecureString -String $ADComputer.$LapsPasswordAttributeName -AsPlainText -Force
                    }
                    else {
                        $LapsPassword = $ADComputer.$LapsPasswordAttributeName
                    }
                }
                else {
                    $LapsPassword = '-ACCESS DENIED-'
                }
            
                
                $LapsPasswordProperties = [ordered]@{
                    ComputerName = $Computer
                    LapsPassword = $LapsPassword
                }
                if ($IncludeLocalAdministratorAccountName) {
                    $LapsPasswordProperties.Add('Username', $LocalAdministratorAccountName)
                }
                $LapsPassword = New-Object -TypeName PSCustomObject -Property $LapsPasswordProperties
                $LapsPassword

            }
            catch {
                Write-Error -Message $_.Exception.Message
            }
        }
    }
    
    end {
    }
}