Tip: GUI for Windows LAPS with history view

Windows[German]Today a little tip for administrators in enterprise environments using Windows LAPS. German blog reader Heiko informed me on about a a graphical environment he wrote in PowerShell that lets you view Windows LAPS passwords, including password history.


Advertising

Windows Local Administrator Password Solution (Windows LAPS) is a feature that can automatically manage and secure the password of a local administrator account on devices mounted in Azure Active Directory or Windows Server Active Directory. This Local Administrator Password Solution (LAPS) from Microsoft provides local administrator account password management for computers joined into a domain.

Recently I had mentioned that Microsoft has integrated a LAPS client into various Windows clients with the April 2023 updates (the links at article end). What is somehow missing is a graphical interface (GUI) to retrieve Windows LAPS passwords. German blog reader Heiko took up this challenge an wrote a PowerShell solution. He emailed with  on Sunday and point out his solution. He wrote:

Unfortunately, Microsoft does not currently provide a GUI for retrieving Windows LAPS passwords that works without RSAT tools. Also, the tab in the RSAT tools (Active Directory Users and Computers) does not show the password history for a computer.

DThis was motivation for him to sit down and write a small GUI in PowerShell that does just these tasks. Heiko wrote:

DSo it turned out that in the last few days I wrote a small (PowerShell) gui that does both. It is stand-alone (portable) and shows the current passwords, as well as the history. (Currently Azure is not supported).

Even though there is no Azure support, the PowerShell GUI might be worth a look for administrators. The PowerShell scripts are hosted by Heiko on GitHub in this repository as Simple LAPS GUI under MIT license and can be downloaded for free.

Simple LAPS GUI


Advertising

Heiko writes the following about the functions and features of his development:

  • Easy and fast to use: launch the executable, enter computer name and press ENTER.
  • Supports Microsoft LAPS (legacy) and Windows LAPS in Active Directory environments.
  • Reading the current password, current expiration timestamp and password history (available for Windows LAPS only) from the computer objects in the local Active Directory.
  • Copying the passwords (current and history) via the context menu.
  • The expiration timestamp can be customized.
  • The window can be closed by pressing the ESCAPE key.

Required are PowerShell version 5.1 or higher and the Windows LAPS PowerShell module. The GitHub archive must be downloaded and unpacked. Use requires a Windows machine connected to Active Directory to function properly. Currently, Azure AD is not supported yet.

Heiko comments: I could imagine that some administrators could use the little helper. Maybe you would like to mention and introduce it in your blog. At this point my thanks to Heiko – maybe the GUI is helpful. You can leave some feedback if you like.

Addendum: Unfortunately the download is flagged as malicious by virustotal. I contacted Heiko and informed him, that he should check an fix that. He answered shortly: I'm checking, it seems to be a parameter of ps2exe (see this issue). Heiko plans an FAQ in the readme file. Probably he will ship the next version without the critical parameter and two downloads: Exe and Powershell. He explained: The exe file is to hide PowerShell and assure, that the task is shown separately in taskbar and task manager.

Similar articles:
Windows LAPS integration via April 2023 update causes trouble for administrators
Windows Server: Update your Active Directory schema for the current Windows LAPS version

How to find weak passwords in Active Directory and eliminate them with PowerShell


Advertising

This entry was posted in Software, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).