{"id":1656,"date":"2022-01-24T09:07:56","date_gmt":"2022-01-24T07:07:56","guid":{"rendered":"https:\/\/helia.ee\/koolitus\/?page_id=1656"},"modified":"2022-01-24T09:07:56","modified_gmt":"2022-01-24T07:07:56","slug":"microsoft-windows-2019-how-to-export-laps-passwords-from-active-directory-with-powershell","status":"publish","type":"page","link":"https:\/\/helia.ee\/koolitus\/?page_id=1656","title":{"rendered":"Microsoft Windows 2019 – How To Export LAPS Passwords from Active Directory with Powershell"},"content":{"rendered":"

In this guide, I\u2019m going to show you how to export the LAPS passwords from Active Directory using a 3-line Powershell script.<\/strong><\/p>\n

This script automatically exports all LAPS passwords from Active Directory to a CSV file with the date appended to the file name. I then schedule this to run monthly using Task Scheduler.<\/p>\n

\n

<\/span>Why export LAPS passwords?<\/h2>\n

<\/span>I\u2019m assuming if you ended up on this post, you know that LAPS is Microsoft\u2019s way of automating password changes for local administrator accounts. I\u2019ve been using LAPS for years, and it just works. Here\u2019s a decent\u00a0LAPS install guide<\/a>\u00a0if you haven\u2019t set up LAPS yet.<\/p>\n

So, why export LAPS passwords to begin with?<\/em><\/strong><\/p>\n

There are several reasons why you should to export them. Over the years, there have been 3 scenarios in which I wish I would\u2019ve have an export of LAPS passwords:<\/p>\n

    \n
  1. When moving Administrator users to Standard users<\/a>.<\/strong>\u00a0The user takes the laptop offsite, and the LAPS password has expired. I wish I would\u2019ve had a way to look up what the previous password was when troubleshooting random issues or installing new software.<\/li>\n
  2. DNS not resolving over the VPN.<\/strong>\u00a0Occasionally, certain users won\u2019t be able to get DNS to resolve over our\u00a0OpenVPN Duo<\/a>\u00a0connection. This means that even though LAPS changes the password in Active Directory, their computer still has the old passwords. This means any admin-related tasks I need to do won\u2019t work until they come back onsite.<\/li>\n
  3. Domain controller unavailable.<\/strong>\u00a0Although rare, there have been a few occasions where our domain was temporarily unavailable. While I could log in with Windows cached credentials on most machines, there were several servers I hadn\u2019t logged into in a while and could not. Without being able to RDP to a domain controller, or launch the LAPS Fat Client UI, I had no way of accessing those machines.<\/li>\n<\/ol>\n

    If have any concerns about running into any of those scenarios above, then you might consider exporting LAPS passwords in case of emergency as well.<\/p>\n

    \n

    <\/span>Isn\u2019t exporting passwords a security concern?<\/h2>\n

    Technically, yes. However, in my opinion, you have to weigh the risk vs potential reward. Sure, exporting passwords in plaintext and leaving them on your desktop isn\u2019t secure. But if you\u2019re exporting them monthly, storing them on your non-domain password vault, or into a file share locked down with tight ACL\u2019s, then the risk is mitigated much more.<\/p>\n

    Also something to keep in mind, if you\u2019ve granted your daily driver user account to view LAPS passwords and has permission to use the ADUC widget, then you can view all LAPS passwords right from your work PC anyway, without logging into a Domain Controller.<\/p>\n

    Open Active Directory Users & Computers > Right click a computer object > Properties > Attribute Editor.\u00a0<\/strong>Scroll until you see the\u00a0ms-Mcs-AdmPwd<\/strong>. You\u2019ll see the LAPS password clear as day there.<\/p>\n

    \"\"<\/figure>\n
    \n

    <\/span>Laps Export Powershell Script<\/h2>\n

    This script assumes that LAPS has already been configured into your environment & that your user account already has access to view LAPS passwords using the Fat Client UI or from Active Directory Users & Computers.<\/p>\n

    This script loads the Active Directory module, finds the LAPS password fields, and then saves them to a CSV with the date appended to the file name. The only thing you\u2019d need to change is the file path.<\/p>\n

    Just Open Powershell and paste this script:<\/strong><\/p>\n

    $Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
    \n$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
    \n$computers | Export-Csv -path c:\\users\\danny\\desktop\\\"LAPS-$((Get-Date).ToString(\"MM-dd-yyyy\")).csv\" -NoTypeInformation<\/code><\/p>\n

    Then, save it to the location of your choice. For this example, I\u2019m saving to\u00a0C:\\Scripts\\LAPSexport.ps1<\/strong>.<\/p>\n

    Then, run the script to verify it works correctly. If it does, you should automate this procedure by creating a Scheduled Task.<\/p>\n

    \n

    <\/span>LAPS Export Scheduled Task \/ PDQ Schedule<\/h2>\n

    To schedule this to run on a schedule, open Task Scheduler > Create Task. Give it a name and configure the correct operating system version and user to run as.<\/p>\n

      \n
    • Under\u00a0Triggers<\/strong>, select your frequency.<\/li>\n
    • Under\u00a0Actions,<\/strong>\u00a0choose Start A Program.\n
        \n
      • Program Script:<\/strong>\u00a0C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe<\/li>\n<\/ul>\n
          \n
        • Add Arguments:<\/strong>\u00a0path to file (C:\\users\\Scripts\\LAPSexport.ps1)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

          Then, just click OK and save. Right click and run the task to confirm that it\u2019s working correctly.<\/p>\n

          If you have PDQ Deploy in your environment, you could also schedule this to run monthly there.<\/p>\n

            \n
          1. Create a new package.<\/strong>\u00a0Give it a name like\u00a0LAPS Monthly Export<\/em>\u00a0and paste the script in and SAVE.<\/li>\n
          2. Click the\u00a0Schedules tab<\/strong>, then\u00a0right click the empty space > New Schedule<\/strong>. Set the schedule.<\/li>\n
          3. Click the\u00a0Target tab,<\/strong>\u00a0choose a PC that has access to view LAPS passwords, like your own.<\/li>\n<\/ol>\n
            \"\"<\/figure>\n
            \"\"<\/figure>\n
            \"\"<\/figure>\n

            Wrapping Up<\/h2>\n

            Hopefully this simple script helps you export your LAPS passwords quickly and easily. Let me know if you run into any issues or have any modifications that you\u2019ve made to the script.<\/p>\n","protected":false},"excerpt":{"rendered":"

            In this guide, I\u2019m going to show you how to export the LAPS passwords from Active Directory using a 3-line Powershell script. This script automatically exports all LAPS passwords from Active Directory to a CSV file with the date appended to the file name. I then schedule this to run monthly using Task Scheduler. Why […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":1304,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-1656","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1656"}],"version-history":[{"count":1,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1656\/revisions"}],"predecessor-version":[{"id":1657,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1656\/revisions\/1657"}],"up":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/1304"}],"wp:attachment":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}