A little corner of the Empire on the web.

04 July, 2017

Retrieve LAPS (Microsoft's Local Admin Password Solution) details using VBScript

History

We've been Microsoft's LAPS (Local Admin Password Solution) as a solution to manage the local administrator passwords on the majority of our servers (excepting domain controllers, for obvious reasons) for a while now. The fact that we'd been living with all of our servers having one or two incredibly simplistic passwords that hadn't changed for the best part of a decade, was giving us so many potential problems, from the ex-employee knowing the all the keys to the kingdom problem, to the straightforward pass-the-hash attack, and LAPS has worked well to mitigate those problems. For our server admins the options of reading the raw password from ADU&C, or using the PowerShell module, or even using the barebones LAPS GUI were fairly straightforward.


The Present

Now we're expanding our LAPS usage to manage the local admin passwords on all of our desktops and laptops. I know that most companies roll LAPS out to their laptops first and their servers last, but the fact that we'd been regularly changing the admin passwords on our laptops and desktops roughly twice a year for years meant that it wasn't needed so badly there.


For our desktop admins, and our helpdesk staff, we can't just point them at the installer for the PoSh module and leave them to it, so we're giving them the LAPS GUI client, but also integrating LAPS password lookup into some of the existing tools that we provide them. This means that I needed to retrieve the LAPS info using VBScript, rather than PoSh, to integrate into one of these tools. All of the examples in the LAPS documentation, and in everyone else's web write-ups of LAPS, use PoSh, so I had to pull this together from a few other scripts and tools that I'd used.




Download


Download the script here: GitHub: LAPS-Password.vbs