Closed jsdhasfedssad closed 2 years ago
CravateRouge
commented
2 years ago You can use getObjectAttributes with ms-mcs-AdmPwd to read a LAPS password on a computer object that has LAPS installed of course. You also need to have All Extended rights permissions on the object (by default for domain Admins). In order to check if LAPS is installed as a simple user you can query ms-mcs-AdmPwdExpirationTime and see if there is any result.
More information: https://adsecurity.org/?p=3164
jsdhasfedssad
commented
2 years ago Good. You write that checking "ms-mcs-AdmPwdExpirationTime" can output a result. However, when I try this I get an error. Either this property cannot be used in the way you say or something is broken. I get the same error when checking "ms-mcs-AdmPwd" but I can't tell if that is due to me not having LAPS installed or your tool being broken.
CravateRouge
commented
2 years ago It means that those attributes are not part of the schema of your AD. Maybe because you didn't install LAPS on your AD?
Are you planning to implement reading of LAPS passwords? Or can I read that already using the command "getObjectAttributes"? I tried reading the attribute "ms-mcs-AdmPwd" but either you do not collect that or it is not there since I do not have LAPS enabled.