Introduction
Microsoft’s commitment to simplifying IT processes is evident with the evolution of Microsoft LAPS to the current Windows LAPS. A significant enhancement is the integration of the Windows LAPS PowerShell Module cmdlets directly into Windows, eliminating the need for separate downloads. These cmdlets are designed to streamline tasks, allowing users to effortlessly retrieve passwords from Entra ID (formerly Azure Active Directory) or the traditional Active Directory. This integration not only enhances efficiency but also ensures a more secure and seamless management experience.
New Windows LAPS PowerShell cmdlets:
- Get-LapsAADPassword – use to query Azure Active Directory for Windows LAPS passwords.
- Get-LapsDiagnostics – use to collect diagnostic information for investigating issues.
- Find-LapsADExtendedRights – use to discover which identities have been granted permissions for an Organization Unit (OU) in Windows Server Active Directory.
- Get-LapsADPassword – use to query Windows Server Active Directory for Windows LAPS passwords.
- Invoke-LapsPolicyProcessing – use to initiate a policy processing cycle.
- Reset-LapsPassword – use to initiate an immediate password rotation.
- Set-LapsADAuditing – use to configure Windows LAPS-related auditing on OUs in Windows Server Active Directory.
- Set-LapsADComputerSelfPermission – use to configure an OU in Windows Server Active Directory to allow computer objects to update their Windows LAPS passwords.
- Set-LapsADPasswordExpirationTime – use to update a computer’s Windows LAPS password expiration time in Windows Server Active Directory.
- Set-LapsADReadPasswordPermission – use to grant permission to read the Windows LAPS password information in Windows Server Active Directory.
- Set-LapsADResetPasswordPermission – use to grant permission to update the Windows LAPS password expiration time in Windows Server Active Directory.
- Update-LapsADSchema – use to extend the Windows Server Active Directory schema with the Windows LAPS schema attributes.
Examples
Listing Windows LAPS PowerShell Commands
Get-LapsAADPassword
This command is used to query Azure Active Directory for Windows LAPS passwords.
#Connect Microsoft Graph
Connect-MgGraph -Scopes ("DeviceLocalCredential.Read.All","Device.Read.All","DeviceManagementManagedDevices.Read.All")
#Get specific device and extract the Device ID
Get-MgDevice -Filter "DisplayName eq 'MYDEVICENAME'"
#Get the Password from Azure AD
Get-LapsAADPassword -DeviceIds XXXXXXXXXXXXXXXXXXXXXX -IncludePasswords -AsPlainText
Tracking Windows LAPS Activity with Sentinel through Event ID 4662
Get-LapsDiagnostics
This command collects Windows Local Administrator Password Solution (LAPS) logs and tracing from the local machine. Learn more
Get-LapsDiagnostics -OutputFolder c:\LAPSDiagnostics
Get-LapsDiagnostics -OutputFolder c:\LAPSDiagnostics -CollectNetworkTrace
Get-LapsDiagnostics -OutputFolder c:\LAPSDiagnostics -CollectNetworkTrace -ResetPassword
Find-LapsADExtendedRights
This command queries Active Directory (AD) to find principals that have been granted permission to read Windows Local Administrator Password Solution (LAPS) password attributes.
Find-LapsADExtendedRights -Identity "OU=Devices,DC=Contoso,DC=com"
Get-LapsADPassword
This command queries Windows Local Administrator Password Solution (LAPS) credentials from Active Directory (AD) on a specified AD computer or domain controller object. Learn more
Get-LapsADPassword -Identity PC01 -AsPlainText
Get-LapsADPassword -Identity PC01 -AsPlainText -IncludeHistory
Invoke-LapsPolicyProcessing
This command causes Windows Local Administrator Password Solution (LAPS) to process the currently configured policy. Learn more
Reset-LapsPassword
This command causes Windows Local Administrator Password Solution (LAPS) to immediately rotate the password for the currently managed local account. Learn more
Set-LapsADAuditing
This command configures an Active Directory (AD) Organizational Unit (OU) to enable auditing on the Windows Local Administrator Password Solution (LAPS) password schema attributes. Learn more
Set-LapsADAuditing -Identity "OU=Devices,DC=Contoso,DC=com" -AuditedPrincipals "Contoso\LAPSREADERS" -AuditType Success
Set-LapsADComputerSelfPermission
This command configures permissions on an Active Directory (AD) Organizational Unit (OU) to enable computers in that OU to update their Windows Local Administrator Password Solution (LAPS) passwords. Learn more
Set-LapsADPasswordExpirationTime
This command sets the Windows Local Administrator Password Solution (LAPS) password expiration timestamp on an Active Directory (AD) computer or domain controller object. Learn more
Set-LapsADPasswordExpirationTime -Identity PC01
Set-LapsADReadPasswordPermission
This command configures security on an Active Directory (AD) Organizational Unit (OU) to grant specific users or groups permission to query Windows Local Administrator Password Solution (LAPS) passwords. Learn more
Set-LapsADResetPasswordPermission
This command configures security on an Active Directory (AD) Organizational Unit (OU) to grant specific users or groups permission to set the Windows Local Administrator Password Solution (LAPS) password expiration time. Learn more
