netwrix / pingcastle

PingCastle - Get Active Directory Security at 80% in 20% of the time
https://www.pingcastle.com
Other
2.35k stars 292 forks source link

Feature Request - New Windows LAPS Detection #179

Open jamesaepp opened 1 year ago

jamesaepp commented 1 year ago

Thanks for the great software!

I recently installed a new forest and setup the new Windows LAPS introduced below.

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/by-popular-demand-windows-laps-available-now/ba-p/3788747

When running pingcastle 3.0.0.3, the LAPS check under anomalies is matched. I'm guessing Pingcastle is relying on the legacy LAPS implementation. It would be great to have a hybrid approach here to detect the new Windows LAPS systems (and its features). Other things that would be really cool to detect:

etc.

vletoux commented 1 year ago

The latest beta version of PingCastle (available in the download portal if you are a registered user) includes this new feature. It will be also included in the next official version of PingCastle

1mm0rt41PC commented 7 months ago

Hello !

I have tested the version of PingCastle 3.2.0.1 with the new LAPS but it doesn't work properly. From the code https://github.com/vletoux/pingcastle/blob/933316dab78685caaf4e2cee3dd541511035e73a/Healthcheck/LAPSAnalyzer.cs#L34 PingCastle only check ms-LAPS-Password but my client use msLAPS-EncryptedPassword.

To avoid this LAPS conflict, is it possible to use msLAPS-PasswordExpirationTime instead ?