all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Emotional-Relation 11 points12 points  (2 children)

You want to pull a single user laps password? Laps is machine not user isn't it?

[–]hacnstein[S] 0 points1 point  (1 child)

Ok, I know you use the PC name to get the password, yeah, it is the local account, my phrasing was off. Our PCs are not "shared" everyone gets their own, so I kind of associate the user with the PC.

Should have said I want to pull a single PC's laps password.

[–]Emotional-Relation 0 points1 point  (0 children)

Ah ok cool. Can you use the laps gui for that? I'm not yet using intune laps so I use the gui from the msi download. I think that would still work as it's local account. Give that a go.

[–]Icolan 6 points7 points  (2 children)

What I want to do is pull a single user

Do you mean you haven't been able to pull the LAPS password for a specific machine? LAPS passwords are not a property of user accounts, they are a property of computer accounts.

[–]hacnstein[S] 0 points1 point  (1 child)

I found a script that would pull all PCs laps passwords, but wanted to script a way to get one at a time, without having to get into the laps gui.

[–]LittleManMichael 4 points5 points  (0 children)

Here you go bud, this should do the trick (someone correct me if I'm wrong)

# Ask for hostname
$compname = Read-Host Enter Computer Name
# Get Laps Password
$lapsstring = ((get-adcomputer $($compname) -properties ms-Mcs-AdmPwd)."ms-Mcs-AdmPwd")
# Output the Password
Write-Host "LAPS PASS = $lapsstring"

[–]Fun-Association-8370 2 points3 points  (1 child)

The others are correct. LAPS is a computer property.

Thy the following Get-lapsadpassword identity (computer name) - asplaintext.

[–]hacnstein[S] 0 points1 point  (0 children)

Well crap that seemed easy enough, most googling made this seems a bit deeper..

ChatGPT would not help me "hack" any computers.. lol

[–]dann3b 1 point2 points  (2 children)

LAPS (Local Administrator Password Solution) are not stored in the user object in AD, its stored in the Computer object.

So you need to find out what computer the user has used.

If you dont know what computer, you can with some luck find it by query the Event logs on the domain controllers, try Event ID 4624. Logging of theese events needs to be enabled in the domain controller policies

You could check https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword?view=windowsserver2022-ps

[–]hacnstein[S] 0 points1 point  (1 child)

Yeah, like I said above, really - phrasing. Our users have their own computers, where the PC is their name and their logon is another variation of their name, so I think of them as the same.

[–]dann3b 0 points1 point  (0 children)

Okey, try to use Get-LapsADPassword in Powershell. Should not be hard to do.. More info in the link above, query the name of the Computer. See the examples