If you ever need to read a LAPS password on a device in another domain, you have to get a bit creative as the LAPS UI doesn’t support multi-domain in an easy fashion.
There is of course the use of “distinguishedName” attribute, but who can remember this and when you are in the Attribute Editor anyway – to copy this – you can read the LAPS password inhere.
But with PowerShell, you can do a simple query … or two …
With LAPS module
|
1 2 |
Import-Module AdmPwd.ps Get-ADComputer -Filter 'Name -like "computername*"' -Server FQDN | Get-AdmPwdPassword |
- With the LAPS PS module you get the expirationTime formated in a readable format
No LAPS module
|
1 |
Get-ADComputer -Properties * -Filter 'Name -like "computername*"' -Server FQDN | Select-Object dNShostname, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime, PwdLastSet |
- Without the LAPS PS module you need need to format the ExpirationTime timestamp yourself – or just do an educated guess
Remember, that the context of the PS session has to have read permission to the password attribute in the remote domain, otherwise you will get nothing.