How To Export LAPS Passwords from Active Directory with Powershell

by Danny
7 comments

READING TIME: 5 MINUTES

In this guide, I’m going to show you how to export the LAPS passwords from Active Directory using a 3-line Powershell script.

This script automatically exports all LAPS passwords from Active Directory to a CSV file with the date appended to the file name. I then schedule this to run monthly using Task Scheduler.


Why export LAPS passwords?

I’m assuming if you ended up on this post, you know that LAPS is Microsoft’s way of automating password changes for local administrator accounts. I’ve been using LAPS for years, and it just works. Here’s a decent LAPS install guide if you haven’t set up LAPS yet.

So, why export LAPS passwords to begin with?

There are several reasons why you should to export them. Over the years, there have been 3 scenarios in which I wish I would’ve have an export of LAPS passwords:

  1. When moving Administrator users to Standard users. The user takes the laptop offsite, and the LAPS password has expired. I wish I would’ve had a way to look up what the previous password was when troubleshooting random issues or installing new software.
  2. DNS not resolving over the VPN. Occasionally, certain users won’t be able to get DNS to resolve over our OpenVPN Duo connection. This means that even though LAPS changes the password in Active Directory, their computer still has the old passwords. This means any admin-related tasks I need to do won’t work until they come back onsite.
  3. Domain controller unavailable. Although rare, there have been a few occasions where our domain was temporarily unavailable. While I could log in with Windows cached credentials on most machines, there were several servers I hadn’t logged into in a while and could not. Without being able to RDP to a domain controller, or launch the LAPS Fat Client UI, I had no way of accessing those machines.

If have any concerns about running into any of those scenarios above, then you might consider exporting LAPS passwords in case of emergency as well.


Isn’t exporting passwords a security concern?

Technically, yes. However, in my opinion, you have to weigh the risk vs potential reward. Sure, exporting passwords in plaintext and leaving them on your desktop isn’t secure. But if you’re exporting them monthly, storing them on your non-domain password vault, or into a file share locked down with tight ACL’s, then the risk is mitigated much more.

Also something to keep in mind, if you’ve granted your daily driver user account to view LAPS passwords and has permission to use the ADUC widget, then you can view all LAPS passwords right from your work PC anyway, without logging into a Domain Controller.

Open Active Directory Users & Computers > Right click a computer object > Properties > Attribute Editor. Scroll until you see the ms-Mcs-AdmPwd. You’ll see the LAPS password clear as day there.


Laps Export Powershell Script

This script assumes that LAPS has already been configured into your environment & that your user account already has access to view LAPS passwords using the Fat Client UI or from Active Directory Users & Computers.

This script loads the Active Directory module, finds the LAPS password fields, and then saves them to a CSV with the date appended to the file name. The only thing you’d need to change is the file path.

Just Open Powershell and paste this script:

$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$computers | Export-Csv -path c:\users\danny\desktop\"LAPS-$((Get-Date).ToString("MM-dd-yyyy")).csv" -NoTypeInformation

Then, save it to the location of your choice. For this example, I’m saving to C:\Scripts\LAPSexport.ps1.

Then, run the script to verify it works correctly. If it does, you should automate this procedure by creating a Scheduled Task.


LAPS Export Scheduled Task / PDQ Schedule

To schedule this to run on a schedule, open Task Scheduler > Create Task. Give it a name and configure the correct operating system version and user to run as.

  • Under Triggers, select your frequency.
  • Under Actions, choose Start A Program.
    • Program Script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • Add Arguments: path to file (C:\users\Scripts\LAPSexport.ps1)

Then, just click OK and save. Right click and run the task to confirm that it’s working correctly.

If you have PDQ Deploy in your environment, you could also schedule this to run monthly there.

  1. Create a new package. Give it a name like LAPS Monthly Export and paste the script in and SAVE.
  2. Click the Schedules tab, then right click the empty space > New Schedule. Set the schedule.
  3. Click the Target tab, choose a PC that has access to view LAPS passwords, like your own.

Wrapping Up

Hopefully this simple script helps you export your LAPS passwords quickly and easily. Let me know if you run into any issues or have any modifications that you’ve made to the script.


My Homelab Equipment

Here is some of the gear I use in my Homelab. I highly recommend each of them.

The full list of server components I use can be found on my Equipment List page.

7 comments

You may also like

7 comments

Joe June 15, 2021 - 6:52 pm

The script works for me in the console but the exported CSV file does not contain any information on the ms-Mcs-AdmPwd or ms-Mcs-AdmPwdExpirationTime. Any thoughts why?

Reply
Danny June 15, 2021 - 8:34 pm

Can you confirm if you can see passwords through the ADUC widget installed on your PC and/or in the LAPS UI? If not, then your issue is permissions. Let me know if that’s the case and I’ll send you the code to run on your DC.

Otherwise, you could run this script directly on a domain controller and it should work as well.

Reply
Danny June 15, 2021 - 9:00 pm

Edit: I missed the part where you said the passwords show up in the console, but not the CSV.

So, it exports everything aside from those two fields? Is this happening when ran as a scheduled task or even running it directly from the console it doesn’t output correctly? I’m honestly not sure on that. I copied the script directly from my post just now, just in case I had formatted it incorrectly, but it’s working correctly for me still.

What happens if you export to a simple txt file, like this?

$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$computers | out-file C:\users\danny\desktop\LAPS-$((Get-Date).ToString(“MM-dd-yyyy”)).txt

Reply
Mike August 31, 2021 - 6:07 pm

Hi Danny–

I can see the password info both in ADUC and using the LAPS UI, but the script doesn’t produce passwords on a client machine, even when running in the context of a user with privileges. If I go to a DC and run it, it works correctly. Is this by design?

Reply
Danny September 1, 2021 - 4:03 am

It works fine for me. I’m a standard Windows user with delegated view permissions to the OU’s. I can see the passwords in ADUC and the LAPS UI.

If you run it in Powershell, are there are any error messages?

You could try exporting to a network share your user has access to instead:

$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$computers | Export-Csv -path \\servershare\”LAPS-$((Get-Date).ToString(“MM-dd-yyyy”)).csv” -NoTypeInformation

Or to a text file like this:

$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$computers | out-file C:\users\danny\desktop\LAPS-$((Get-Date).ToString(“MM-dd-yyyy”)).txt

Reply
Thomas Enright October 13, 2021 - 7:50 am

Works great, I am a little worried about exporting to plain text. Is there something clever that can be done to encrypt the CSV?

Reply
Danny October 13, 2021 - 3:58 pm

I agree with you, plain text local admin passwords is not great. However, I think the risk is worth it if you properly secure the locations it’s going to be stored (offline USB, password vault, delete the .csv after moving it, etc.) I’m sure there’s ways of encrypting it but I don’t know of a way to do it.

Reply

Leave a Comment