Keyboard shortcuts

Press ← or β†’ to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

LAPSToolkit Cheatsheet

PowerShell tool for enumerating and abusing Microsoft LAPS (Local Administrator Password Solution) in Active Directory environments.

Loading LAPSToolkit

Import-Module .\LAPSToolkit.ps1

Find Delegated Groups

Parse ExtendedRights for all computers with LAPS enabled. Shows groups specifically delegated to read LAPS passwords:

Find-LAPSDelegatedGroups

Find Extended Rights

Check rights on each LAPS-enabled computer for groups with read access and users with β€œAll Extended Rights.” Users with this right can read LAPS passwords and may be less protected than users in delegated groups:

Find-AdmPwdExtendedRights

Get LAPS Computers and Passwords

Search for LAPS-enabled computers, password expiration, and cleartext passwords (if your user has read access):

Get-LAPSComputers

Enumeration Flow

  1. Find-LAPSDelegatedGroups β€” identify which groups can read LAPS passwords per OU
  2. Find-AdmPwdExtendedRights β€” find users/groups with extended rights on LAPS-enabled computers
  3. Get-LAPSComputers β€” attempt to read actual passwords and expiration dates

Notes

  • An account that has joined a computer to the domain receives All Extended Rights over that host, which includes the ability to read LAPS passwords
  • Machines without LAPS installed are potential lateral movement targets (local admin password reuse)
  • LAPS passwords are stored in the ms-Mcs-AdmPwd attribute on computer objects in AD