LAPS password from computer in other domain (PS)

If you ever need to read a LAPS password on a device in another domain, you have to get a bit creative as the LAPS UI doesn’t support multi-domain in an easy fashion.

There is of course the use of “distinguishedName” attribute, but who can remember this and when you are in the Attribute Editor anyway – to copy this – you can read the LAPS password inhere.

But with PowerShell, you can do a simple query … or two …

With LAPS module

Get-ADComputer -Filter 'Name -like "computername*"' -Server FQDN | Get-AdmPwdPassword
  • With the LAPS PS module you get the expirationTime formated in a readable format

No LAPS module

Get-ADComputer -Properties * -Filter 'Name -like "computername*"' -Server FQDN | Select-Object dNShostname, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime, PwdLastSet
  • Without the LAPS PS module you need need to format the ExpirationTime timestamp yourself – or just do an educated guess

Remember, that the context of the PS session has to have read permission to the password attribute in the remote domain, otherwise you will get nothing.