Windows LAPS query not returning data in PSU

I appear to be having an issue with getting return data inside PSU leveraging the Windows LAPS cmdlets get-LapsADPassword. My Code.

      $User1 = "lapstestingaccount"
      $PWord = ConvertTo-SecureString "foo123456" -AsPlainText -Force
      $cred = New-Object -TypeName System.Management.Automation.PSCredential ($User1, $PWord)
      $Objects = Get-LapsADPassword -Identity $EventData.filter -cred $cred -AsPlainText
      $LapsData = $Objects.Password
      New-UDTypography -Text "$LapsData here"

I attached the 2 screenshots showing the return in PSU as well as showing that powershell on that server does return the password correctly. So I am unsure what I am missing. Can anyone help?


It looks like $objects is returning multiple properties so using the -AsPlainText switch against a hash table might not give you the results youre looking for. Have you tried doing something like this?

$User1 = "lapstestingaccount"
$PWord = ConvertTo-SecureString "foo123456" -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential ($User1, $PWord)
$Objects = Get-LapsADPassword -Identity $EventData.filter -cred $cred 
$LapsData = $Objects.Password
$ReadablePassword = ConvertFrom-SecureString -SecureString $LapsData -AsPlainText
New-UDTypography -Text "$ReadablePassword here"

Yeah, it is a hash table but at least your code helped me verify that the command is coming back with no data even though the command works directly on the server in powershell. So, now I have to figure out why the command is not working. Even hard coding an Identity in the laps command still returns nothing.

Ill have a play around in my environment next time im at work to see if I can reproduce this. Im assuming you have LAPS installed on a seperate server to the one that is hosting PSU?

I think recall reading somewhere that secure strings can only be decrypted on the same machine they were created on because of windows DPAPI

Well this is in our test domain, so we are just moving forward with upgrading from legacy LAPS to Windows LAPs. One of the test was switching PSU to the new LAPS cmdlets. It works on the server that PSU is installed on and other machines in the environment, just appears to not work in PSU. I know from a security perspective we had to add the service account being used to the “access this computer from the network” security setting which allowed it to work on the system itself through Powershell with the alternate credential flag. Thank you for any help.

Hi!

I have implemented a similar thing where IT employees can request the local admin passwords for specific reasons. They handover a couple of hostnames and the gathered local admin passwords will be written to a temp file, a password will be generated and the tempfile will be zipped (7-zip) using this password. The password itself will be sent to the requester via MS Teams and the zipped file to a specific network share.

This is the part of the code that we use to reveal the passwords:

foreach ($Name in $hostnames) {
    $currentResult = Get-LapsADPassword -Identity $Name -AsPlainText
    if ($currentResult.password) {
        $results += [pscustomobject]@{
            Hostname = $Name
            Password = $currentResult.password
            ExipreDate = $currentResult.ExpirationTimestamp
        }
        write-output "Got LAP for $Name (valid until: $($currentResult.ExpirationTimestamp))"
    }
    else {
        Write-Warning "Could not get LAP for $Name."
        $results += [pscustomobject]@{
            Hostname = $Name
            Password = "No password returned from AD"
            ExipreDate = "-"
        }
    }
}
$results | Out-File -FilePath $tempfile.FullName -Append

hope it helps :slight_smile:

1 Like

Thanks! Though our solution is trying to run the command with the -cred flag. We are trying to delegate out LAPs control by group and which account has access to that delegated OU is controlled by that Unit. That way, they can decide what the LAPs service account in their area has the ability to read. We have multiple acounts that maybe called depending on the logged in user. We have no trouble doing this inside powershell on the system PSU is installed on and any other system. It just appears through PSU, we are getting stuck. We are using v4.4.1

In my case I created an app that only specific people do have access to and this app is invoking the script. The script itself gets executed by a specific service user to be able to retrieve the passwords.

The App contains a form with a dropdown (autocomplete) field that has the hostnames of the computers in AD loaded and multiselect is enabled and a textfield for the requester to describe why the passwords are needed.
The combination of descriptive text with the selected hostnames gets then logged incl. the hostnames that return a password, plus the date until the passwords are valid.
So you can see from the log who asked for passwords of which hosts and how long those retrieved passwords are valid.