Test-LapsCompliance.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
<#
.SYNOPSIS
Test a computer for LAPS compliance.
 
.DESCRIPTION
The Local Administrator Password Solution is a tool you can install on
your computers to periodically change the local administrator password.
This function will validate if the LAPS client-side extension is installed,
if the registry has LAPS policy keys configured, and if the local administrator
password has been reset within the configured range.
 
.PARAMETER ComputerName
Enter a computer name
 
.PARAMETER Credential
Enter a valid credential for accessing the remote computer.
 
.EXAMPLE
Get-LapsCompliance -ComputerName WORKSHOP01 -Credential (Get-Credential)
 
.NOTES
Created by: Jason Wasser @wasserja
Modified: 7/12/2017 04:11:42 PM
.LINK
https://technet.microsoft.com/en-us/mt227395.aspx
#>

function Test-LapsCompliance {
    [CmdletBinding()]
    param (
        [parameter(
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)]    
        [string[]]$ComputerName = $env:COMPUTERNAME,
        [System.Management.Automation.PSCredential]$Credential = [System.Management.Automation.PSCredential]::Empty
    )
    
    begin {
        function Test-LapsInstallation {
            param (
                $LapsInstallationPath = 'C:\Program Files\LAPS\CSE\AdmPwd.dll'
            )
            Test-Path ($LapsInstallationPath)
        }

        function Test-LapsPolicyConfiguration {
            param (
                $RegistryPolicyPath = 'HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd\'
            )
            if (Test-Path -Path $RegistryPolicyPath) {
                $LapsRegistryPolicyConfiguration = Get-Item -Path $RegistryPolicyPath
                
                $LapsPolicyConfigurationProperties = @{}
                foreach ($Property in $LapsRegistryPolicyConfiguration.Property) {
                    $LapsPolicyConfigurationProperties.Add($Property, $LapsRegistryPolicyConfiguration.GetValue($Property))
                }
                $LapsPolicyConfigurationProperties.Add('IsLapsConfigured', $true)
                $LapsPolicyConfiguration = New-Object -TypeName PSCustomObject -Property $LapsPolicyConfigurationProperties
                $LapsPolicyConfiguration
            }
            else {
                $LapsPolicyConfiguration = $false
                $LapsPolicyConfiguration
            }
    
        }

        function Test-LapsAdministratorPassword {
            param (    
                [int]$PasswordAgeDays,
                [datetime]$PasswordLastSet
            )

            $LocalAdministratorPasswordAgeinDays = (New-TimeSpan -Start $PasswordLastSet -End (Get-Date)).Days
            if ($LocalAdministratorPasswordAgeinDays -le $PasswordAgeDays) {
                $LapsAdministratorPasswordValidity = $true
            }
            else {
                $LapsAdministratorPasswordValidity = $false
            }
            $LapsAdministratorPasswordValidity

        }

    }
    
    process {
        $ErrorActionPreference = 'Stop'
        foreach ($Computer in $ComputerName) {

            try {

                # Setup remote PowerShell session
                $Session = New-PSSession -ComputerName $Computer -Credential $Credential

                # Is LAPS installed
                Write-Verbose -Message "Checking to see if LAPS is installed on $Computer"
                $IsLapsInstalled = Invoke-Command -Session $Session -ScriptBlock ${function:Test-LapsInstallation}
            
                if ($IsLapsInstalled) {
                    Write-Verbose -Message "LAPS is installed on $Computer"
                
                    # Are LAPS-related registry-related policy items configured
                    Write-Verbose -Message "Checking to see if LAPS is configured on $Computer"
                    $LapsConfiguration = Invoke-Command -Session $Session -ScriptBlock ${function:Test-LapsPolicyConfiguration}
                    $IsLapsConfigured = $LapsConfiguration.IsLapsConfigured
                    if ($IsLapsConfigured) {
                        Write-Verbose -Message "LAPS registry policy keys were found on $Computer"

                        # Has the local administrator password been reset within the configured time
                        $LocalAdministratorPasswordLastSet = Get-LocalAdministratorPasswordLastSet -ComputerName $Computer -Credential $Credential
                        $IsLapsLocalAdministratorPasswordValid = Invoke-Command -Session $Session -ScriptBlock ${function:Test-LapsAdministratorPassword} -ArgumentList $LapsConfiguration.PasswordAgeDays, $LocalAdministratorPasswordLastSet.PasswordLastSet

                        if ($IsLapsLocalAdministratorPasswordValid) {
                            Write-Verbose -Message "The local administrator password on $Computer was last set on $($LocalAdministratorPasswordLastSet.PasswordLastSet) which is within $($IsLapsConfigured.PasswordAgeDays) days."
                            $IsLapsCompliant = $true
                        
                        }
                        else {
                            Write-Warning -Message "The local administrator password on $Computer was last set on $($LocalAdministratorPasswordLastSet.PasswordLastSet) which is NOT within $($IsLapsConfigured.PasswordAgeDays) days."
                            $IsLapsLocalAdministratorPasswordValid = $false
                            $IsLapsCompliant = $false
                        }
                    }
                    else {
                        Write-Warning -Message "LAPS registry policy keys were NOT found on $Computer"
                        $IsLapsConfigured = $false
                        $IsLapsLocalAdministratorPasswordValid = $false
                        $IsLapsCompliant = $false
                    }
                }
                else {
                    Write-Warning -Message "LAPS is not installed on $Computer."
                    $IsLapsInstalled = $false
                    $IsLapsConfigured = $false
                    $IsLapsLocalAdministratorPasswordValid = $false
                    $IsLapsCompliant = $false
                }

                $LapsComplianceProperties = [ordered]@{
                    ComputerName                          = $Session.ComputerName
                    IsLapsInstalled                       = $IsLapsInstalled
                    IsLapsConfigured                      = $IsLapsConfigured
                    IsLapsLocalAdministratorPasswordValid = $IsLapsLocalAdministratorPasswordValid
                    IsLapsCompliant                       = $IsLapsCompliant
                }

                $LapsCompliance = New-Object -TypeName PSCustomObject -Property $LapsComplianceProperties
                $LapsCompliance

                # Tear down remove PowerShell session
                Remove-PSSession $Session
            }
            catch [System.Management.Automation.Remoting.PSRemotingTransportException] {
                Write-Error -Message $Error[0].Exception
            }
            catch {
                Write-Error -Message $Error[0].Exception
                if ($Session.Name) {
                    Remove-PSSession -Session $Session
                }
            }
        }
    }

    end {
    }
}