Kaido Jarvemets - Logo

Windows LAPS PowerShell Commands

Introduction

Microsoft’s commitment to simplifying IT processes is evident with the evolution of Microsoft LAPS to the current Windows LAPS. A significant enhancement is the integration of the Windows LAPS PowerShell Module cmdlets directly into Windows, eliminating the need for separate downloads. These cmdlets are designed to streamline tasks, allowing users to effortlessly retrieve passwords from Entra ID (formerly Azure Active Directory) or the traditional Active Directory. This integration not only enhances efficiency but also ensures a more secure and seamless management experience.

New Windows LAPS PowerShell cmdlets:

  • Get-LapsAADPassword – use to query Azure Active Directory for Windows LAPS passwords.
  • Get-LapsDiagnostics – use to collect diagnostic information for investigating issues.
  • Find-LapsADExtendedRights – use to discover which identities have been granted permissions for an Organization Unit (OU) in Windows Server Active Directory.
  • Get-LapsADPassword – use to query Windows Server Active Directory for Windows LAPS passwords.
  • Invoke-LapsPolicyProcessing – use to initiate a policy processing cycle.
  • Reset-LapsPassword – use to initiate an immediate password rotation.
  • Set-LapsADAuditing – use to configure Windows LAPS-related auditing on OUs in Windows Server Active Directory.
  • Set-LapsADComputerSelfPermission – use to configure an OU in Windows Server Active Directory to allow computer objects to update their Windows LAPS passwords.
  • Set-LapsADPasswordExpirationTime – use to update a computer’s Windows LAPS password expiration time in Windows Server Active Directory.
  • Set-LapsADReadPasswordPermission – use to grant permission to read the Windows LAPS password information in Windows Server Active Directory.
  • Set-LapsADResetPasswordPermission – use to grant permission to update the Windows LAPS password expiration time in Windows Server Active Directory.
  • Update-LapsADSchema – use to extend the Windows Server Active Directory schema with the Windows LAPS schema attributes.

Examples

Listing Windows LAPS PowerShell Commands

Get-LapsAADPassword

This command is used to query Azure Active Directory for Windows LAPS passwords.

				
					#Connect Microsoft Graph
Connect-MgGraph -Scopes ("DeviceLocalCredential.Read.All","Device.Read.All","DeviceManagementManagedDevices.Read.All")

#Get specific device and extract the Device ID
Get-MgDevice -Filter "DisplayName eq 'MYDEVICENAME'"

#Get the Password from Azure AD
Get-LapsAADPassword -DeviceIds XXXXXXXXXXXXXXXXXXXXXX -IncludePasswords -AsPlainText

				
			

Tracking Windows LAPS Activity with Sentinel through Event ID 4662

Enable auditing and analyze Event ID 4662 using Microsoft Sentinel.
Call to Action

Get-LapsDiagnostics

This command collects Windows Local Administrator Password Solution (LAPS) logs and tracing from the local machine. Learn more

				
					Get-LapsDiagnostics -OutputFolder c:\LAPSDiagnostics

Get-LapsDiagnostics -OutputFolder c:\LAPSDiagnostics -CollectNetworkTrace

Get-LapsDiagnostics -OutputFolder c:\LAPSDiagnostics -CollectNetworkTrace -ResetPassword

				
			

Find-LapsADExtendedRights

This command queries Active Directory (AD) to find principals that have been granted permission to read Windows Local Administrator Password Solution (LAPS) password attributes.

				
					Find-LapsADExtendedRights -Identity "OU=Devices,DC=Contoso,DC=com"

				
			

Get-LapsADPassword

This command queries Windows Local Administrator Password Solution (LAPS) credentials from Active Directory (AD) on a specified AD computer or domain controller object. Learn more

				
					Get-LapsADPassword -Identity PC01 -AsPlainText
Get-LapsADPassword -Identity PC01 -AsPlainText -IncludeHistory

				
			

Invoke-LapsPolicyProcessing

This command causes Windows Local Administrator Password Solution (LAPS) to process the currently configured policy. Learn more

Reset-LapsPassword

This command causes Windows Local Administrator Password Solution (LAPS) to immediately rotate the password for the currently managed local account. Learn more

Set-LapsADAuditing

This command configures an Active Directory (AD) Organizational Unit (OU) to enable auditing on the Windows Local Administrator Password Solution (LAPS) password schema attributes. Learn more

				
					Set-LapsADAuditing -Identity "OU=Devices,DC=Contoso,DC=com" -AuditedPrincipals "Contoso\LAPSREADERS" -AuditType Success

				
			

Set-LapsADComputerSelfPermission

This command configures permissions on an Active Directory (AD) Organizational Unit (OU) to enable computers in that OU to update their Windows Local Administrator Password Solution (LAPS) passwords. Learn more

Set-LapsADPasswordExpirationTime

This command sets the Windows Local Administrator Password Solution (LAPS) password expiration timestamp on an Active Directory (AD) computer or domain controller object. Learn more

				
					Set-LapsADPasswordExpirationTime -Identity PC01

				
			

Set-LapsADReadPasswordPermission

This command configures security on an Active Directory (AD) Organizational Unit (OU) to grant specific users or groups permission to query Windows Local Administrator Password Solution (LAPS) passwords. Learn more

Set-LapsADResetPasswordPermission

This command configures security on an Active Directory (AD) Organizational Unit (OU) to grant specific users or groups permission to set the Windows Local Administrator Password Solution (LAPS) password expiration time. Learn more

Leave a Reply

Contact me

If you’re interested in learning about Windows LAPS PowerShell Commands. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents