So you’ve decided to roll out LAPS, you did everything correctly and setup GPO’s to remotely install the client on all of your computers. Now you just want to know which computers have successfully implemented the GPO to install the client as well as the GPO that configures LAPS.
You could use the LAPS UI on your management computer and type in the computer name one by one to figure out which ones show you a password or you could simply write a PowerShell script that would automate this task for you.
When you updated the Active Directory schema to roll out LAPS, 2 properties that we are interested in were added to your Active Directory computer objects. These 2 properties are ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime.
AdmPwd stores the LAPS generated password in plain text and AdmPwdExpirationTime tells us when this password is set to expire.
So all we need to do is check if the AdmPwd property exists. To do this, we can use Get-Member along with the -MemberType Properties argument and supply the ms-Mcs-AdmPwd property as the -name attribute and throw that into a conditional block which will look something like this.
if (Get-Member -inputobject $computer -name "ms-Mcs-AdmPwd" -MemberType Properties) {
#Property Exists
}
So now you’re probably wondering what’s up with the $computer variable, where does that come from? To answer that, I’ll have to backup just a little bit. Before we can evaluate if an Active Directory computer object has a specific property, we have to actually get a computer object and since we want to evaluate if the property exists for all computer objects we need to store all computer objects in an array that we can iterate over.
So lets start by getting all of the computers
$computers = Get-ADComputer -Filter 'operatingsystem -notlike "*server*" -and enabled -eq "true"' -Properties Name,Operatingsystem, OperatingSystemVersion,IPv4Address,ms-Mcs-AdmPwd
So there are a few things happening here. First we create a variable $computers, we then use Get-ADComputer with the filter attribute to get all of the computers that don’t have *server* in their operating system attribute. We then specify the properties we are interested in storing in the objects that are being returned and stored in the $computers array.
Next we need to iterate over the $computers array
$computers = Get-ADComputer -Filter 'operatingsystem -notlike "*server*" -and enabled -eq "true"' -Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address,ms-Mcs-AdmPwd
foreach ($computer in $computers) {
}
The foreach loop iterates over the $computers array and at each iteration assigns the AD object to the $computer variable. So at each iteration, the $computer variable will hold the current object. Now that we have an object we can test if it has the ms-Mcs-AdmPwd property.
$computers = Get-ADComputer -Filter 'operatingsystem -notlike "*server*" -and enabled -eq "true"' -Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address,ms-Mcs-AdmPwd
foreach ($computer in $computers) {
if(Get-Member -inputobject $computer -name "ms-Mcs-AdmPwd" -MemberType Properties) {
#Property Exists
}
}
So now if our if statement returns true, we know that the ms-Mcs-AdmPwd property exists which means LAPS is properly setup on that PC so we want to display it.
$computers = Get-ADComputer -Filter 'operatingsystem -notlike "*server*" -and enabled -eq "true"' -Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address,ms-Mcs-AdmPwd
foreach ($computer in $computers) {
if(Get-Member -inputobject $computer -name "ms-Mcs-AdmPwd" -MemberType Properties) {
Sort-Object -InputObject $computer -Property Operatingsystem |
Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address
}
}
The 2 lines in the if statement simply sort and then display each object in the PowerShell console.
Now we can add a few more things to this script to give us some more useful information, such as knowing how many total computers we have in our organization and how many of those have LAPS configured. Here’s what that would look like.
$computers = Get-ADComputer -Filter 'operatingsystem -notlike "*server*" -and enabled -eq "true"' -Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address,ms-Mcs-AdmPwd
$lapsinstalledcount = 0
Write-Host "`r`nTotal Number of PC's "$computers.count
foreach ($computer in $computers) {
if(Get-Member -inputobject $computer -name "ms-Mcs-AdmPwd" -MemberType Properties) {
Sort-Object -InputObject $computer -Property Operatingsystem |
Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address
$lapsinstalledcount++
}
}
Write-Host "Number of PC's with LAPS installed " $lapsinstalledcount "`r`n"
So there you have it, a quick and simple way to find out which computers in your organization have LAPS installed and configured.
Hopefully this helped someone out.
works very well, thank you!
Nice script. It was just what I needed. Is there anyway to make it only query AD for say the last 6 months of Last logins? I’m thinking that if a machine hasn’t logged in in over 6 months. I’m sure it can be done, I just haven’t worked on it.
You could add to the Get-ADComputer filter in the -Properties section, something like this:
$cutoff = (Get-Date).AddDays(-180)$filter = "LastLogonDate -gt '$cutoff'"Then just add LastLogonDate as a property
-Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address,ms-Mcs-AdmPwd,LastLogonDateHope this helps