Jump to content
Sign in to follow this  
TheyCallMeBacon

Managing LAPS Passwords

Recommended Posts

Has anyone had success managing LAPS with AutoIT?  (LAPS is Microsoft's Local Admin Password Solution.)

I am running v3.3.14.2 and Powershell 5.1.17134.858 on Windows 10 1803 build 17134.885.

I have read the entire AutoIT Help file, all of the AD UDF scripts and supporting HTML files, and a large part of the Internet and have researched myself into paralysis.

My company has more than one domain with two-way trusts and use LAPS on each domain.  At present, we remote in to a jump box in each domain when we need to manage a device there. I want to build a multiple-domain console that works just like the LAPS UI, but allows the user to select a domain via pull-down. 

At this point, I can't even get the crazy thing to work on the current domain.  

If I feed it $sComputername = 'T4211BLC1' 

$sComputerName = GUICtrlRead($idComputerName)
    
    $iPID = Run('powershell.exe -executionpolicy bypass Get-AdmPwdPassword "' & $sComputerName & '"', "c:\", @SW_Show, $STDOUT_CHILD)
    ; Wait until the process has closed using the PID returned by Run.
    ProcessWaitClose($iPID)
    ; Read the Stdout stream of the PID returned by Run.
    While 1
        $sOutput = StdoutRead($iPID)
        if @error then ExitLoop
        if $sOutput <> "" Then $sStdout = $sStdout & @CRLF & $sOutput
    WEnd

sends this to the console:

Get-AdmPwdPassword : The term 'Get-AdmPwdPassword' is not recognized as the name of a cmdlet, function, script file, 
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and 
try again.
At line:1 char:1
+ Get-AdmPwdPassword T4211BLC1
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-AdmPwdPassword:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

But if I put this on the Windows command line:

powershell.exe -executionpolicy bypass Get-AdmPwdPassword "T4211BLC1"

...it runs perfectly.

ComputerName         DistinguishedName                             Password           Expiration
                                                                                      Timestamp
------------         -----------------                             --------           ----------
T4211BLC1            CN=T4211BLC1,OU=GPO Computers Testing OU,O... YQc7Cl39wFrIF5     6/10/20...

So (if you're still awake),

  1. Why can't Powershell find 'Get-AdmPwdPassword' when called from within AutoIT?
  2. Why can't I read STDOUT?

FYI - I've tried ShellExecute, and calling a .ps1 from the script, even Run('cmd /k ...) and I get the same result - Powershell doesn't recognize the cmdlet.

Thanks in advance!!

Share this post


Link to post
Share on other sites

Did you try @Comspec as described in the help file?


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2021-04-14 - Version 1.5.3.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2021-04-13 - Version 1.6.4.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (NEW 2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
Task Scheduler (2019-12-03 - Version 1.5.1.0) - Download - General Help & Support - Wiki

Tutorials:
ADO - Wiki, WebDriver - Wiki

 

Share this post


Link to post
Share on other sites

Here is the code I use, we only have a single domain but you should be able to just change the parameters to connect to different domain.

Share this post


Link to post
Share on other sites
1 hour ago, water said:

Did you try @Comspec as described in the help file?

Yes, as 

$iPID = Run(@ComSpec & ' /c ' & 'powershell.exe -executionpolicy bypass Get-AdmPwdPassword "' & $sComputerName & '"', "c:\", @SW_Show, $STDOUT_CHILD)

and I get the same result as above.

 

1 hour ago, Subz said:

Here is the code I use, we only have a single domain but you should be able to just change the parameters to connect to different domain.

The code is missing, but I'd love to see what you have that works!

Share this post


Link to post
Share on other sites

Sorry have the flu so brains a bit fuzzy at the mo :)

#include <AD.au3>
Global $g_sComputerName = $CmdLine[0] > 0 ? $CmdLine[1] : @ComputerName
MsgBox(4096, "LAPS Password", _GetLAPSPassword($g_sComputerName))

Func _GetLAPSPassword($_sComputerName, $_sUserId = "", $_sPassword = "", $_sDNSDomain = "", $_sHostServer = "", $_sConfiguration = "", $_iSecurity = 0)
    _AD_Open($_sUserId, $_sPassword, $_sDNSDomain, $_sHostServer, $_sConfiguration, $_iSecurity)
        If @error Then Return SetError(1, @error, "Error: _AD_Open() - See @extended for error code.")
    Local $sFQDN = _AD_SamAccountNameToFQDN($_sComputerName & "$")
        If @error Then Return SetError(2, @error, "Error: _AD_SamAccountNameToFQDN() - See @extended for error code.")
    Local $sLAPSPassword = _AD_GetObjectAttribute($sFQDN, "ms-mcs-admpwd")
        If @error Then Return SetError(3, @error, "Error: _GetObjectAttribute() - See @extended for error code.")
    _AD_Close()
        If @error Then Return SetError(4, @error, "Error: _AD_Close - See @extended for error code.")
    Return SetError(0, 0, $sLAPSPassword)
EndFunc

 

Share this post


Link to post
Share on other sites

Holy Crap, Subz!

I don't even have the flu so I have no excuse for overlooking this option, but good use of _AD_GetObjectAttribute.  Next question, since you may have already solved this: I'd like to reset the password in the GUI as well.  I already have the date/time picker sorted, now I just need the AD equivalent to Powershell:

Reset-AdmPwdPassword -ComputerName:MyComputer -WhenEffective:"7.28.2019 15:00"

I know _AD_SetPassword will reset the computer account password, but not the Local Admin password. 

Share this post


Link to post
Share on other sites

Holy Crap, Subz!

I don't even have the flu so I have no excuse for overlooking this option, but good use of _AD_GetObjectAttribute.  Next question, since you may have already solved this: I'd like to reset the password in the GUI as well.  I already have the date/time picker sorted, now I just need the AD equivalent to Powershell:

Reset-AdmPwdPassword -ComputerName:MyComputer -WhenEffective:"7.28.2019 15:00"

I know _AD_SetPassword will reset the computer account password, but not the Local Admin password. 

Also - HUGE Thank You to Water for creating the AD UDF to begin with.  I have used it in many other projects. 

Share this post


Link to post
Share on other sites

Sorry we don't tend to reset the password on our systems, we just use it for viewing, however the attribute that is required is:

"ms-Mcs-AdmPwdExpirationTime"

If you change it to 0 the password will be reset on the next GPUpdate.

Share this post


Link to post
Share on other sites

_AD_ModifyAttribute is the function you are looking for :)


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2021-04-14 - Version 1.5.3.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2021-04-13 - Version 1.6.4.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (NEW 2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
Task Scheduler (2019-12-03 - Version 1.5.1.0) - Download - General Help & Support - Wiki

Tutorials:
ADO - Wiki, WebDriver - Wiki

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By DannyJ
      $sCommands1 = 'powershell.exe Get-ChildItem' $iPid = run($sCommands1   , @WorkingDir , @SW_SHOW , 0x2) $sOutput = ""  While 1     $sOutput &= StdoutRead($iPID)         If @error Then             ExitLoop         EndIf  WEnd ;~ msgbox(0, '' , $sOutput) ConsoleWrite("$sOutput") ConsoleWrite($sOutput) ConsoleWrite(@CRLF) $aOutput = stringsplit($sOutput ,@LF , 2) For $i=0 To  UBound($aOutput) - 1 Step 1     ConsoleWrite($aOutput[$i]) Next The script above reads the whole directory into a one dimensional array, but I need to work with the array, so I need to split the array into multiple dimensions.
      I have already read some forum answers here, and I have already tried these commands:
       
      Are there any way to use the $aOutput variable like in PowerShell:
      PowerShell:
      $a = Get-ChildItem $a.Mode I imagine this in AutoIt  $aOutput
      ConsoleWrite($aOutput[i].Mode) Or if I split this command into 2 dimension like:
      For $i To UBound($aOutput)-1 Step 1 ConsoleWrite($aOutput[$i][1]) ConsoleWrite($aOutput[$i][2]) Next  
    • By DannyJ
      If I try to run this script with   Get-ChildItem which means dir this script works perfectly, but If I try to run this command Get-RDUserSession, my script has the following error message:
      This command runs perfectly in PowerShell admin and I get back the values
      Get-RDUserSession -ConnectionBroker  broker.local | sort Username Or you can try this command as well
      Get-Command Get-RDUserSession If I run the above mentioned command this runs perfectly in PowerShell but not with AutoIt.
      Here is my script you can test the commands:
      #include<array.au3> $iPid = run('powershell Get-Command Get-RDUserSession'  , @WindowsDir , @SW_HIDE , 0x2) ;; This command not works in AutoIT you can test it in PowerShell but it won't work in Autoit ;$iPid = run('powershell Get-RDUserSession -ConnectionBroker  broker.local | sort Username'  , @WindowsDir , @SW_MAXIMIZE , 0x2) ; This command not works in AutoIT ;$iPid = run('powershell Get-ChildItem | sort Name'  , @WindowsDir , @SW_HIDE , 0x2) ; This runs perfectly $sOutput = ""  While 1     $sOutput &= StdoutRead($iPID)         If @error Then             ExitLoop         EndIf  WEnd ;~ msgbox(0, '' , $sOutput) $aOutput = stringsplit($sOutput , @LF , 2) _ArrayDisplay($aOutput)  
      That could be the solution of the problem if I could run, directly this PowerShell command window and Write to it and save it's values.
    • By DrLarch
      I'm trying to run this powershell command from Autoit and can't figure out how to pull it off:
      Get-ProvisionedAppxPackage -Online | Where-Object { $_.PackageName -match "xbox" } | ForEach-Object { Remove-ProvisionedAppxPackage -Online -AllUsers -PackageName $_.PackageName } I've been trying to run it many different ways including:
      $sCMD = 'Get-ProvisionedAppxPackage -Online | Where-Object { $_.PackageName -match "xbox" } | ForEach-Object { Remove-ProvisionedAppxPackage -Online -AllUsers -PackageName $_.PackageName }' RunWait(@comspec & ' /c powershell.exe -nologo -executionpolicy bypass -noprofile -Command "&' & $sCMD & '"') The problem is that it seems I'm missing something in how to escape or double the quotes. I've tried doubling the quotes in many different ways, but the end result always produces a syntax error in powershell. I could just run powershell first, then paste and run the command, then close the powershell window, but that's clunky. I'm trying to do it either via parameter (as above) or in one line like this:
      RunWait(@comspec & ' /c powershell.exe -nologo -executionpolicy bypass -noprofile -Command "&Get-ProvisionedAppxPackage -Online | Where-Object { $_.PackageName -match "xbox" } | ForEach-Object { Remove-ProvisionedAppxPackage -Online -AllUsers -PackageName $_.PackageName }"')  
    • By antonioj84
      any assistance how to incorporate this powershell command within autoit
       
      powershell.exe -nologo -executionpolicy bypass -WindowStyle hidden -noprofile -command "&Set-WinUserLanguageList -LanguageList fr-CA, en-CA -Force"
    • By Exit
      For my next project I would like to send files with "alternate data streams" by email in ZIP format.
      I can not use any external program like 7-Zip or WinRAR. (They would fit😥)
      Who knows how to create a ZIP file with "alternate data streams" included with the Powershell command "Compress-Archive"? 
      Here a test script:  (save as "ADSTester.cmd")
      @rem Try to create a zip file with alternate data streams (ADS) included @rem Housekeeping @cls @del ADSTester.zip >nul: @RD /S /Q Extracted >nul: @del ADSTester.txt >nul: @rem End of Housekeeping echo This is the ADSTester.txt file >ADSTester.txt echo This is the ADSTester.txt:Part1 file >ADSTester.txt:Part1 echo This is the ADSTester.txt:Part2 file >ADSTester.txt:Part2 dir /r ADSTester.txt @rem See the 3 files @rem **************************************************************** @rem **************************************************************** @rem Please alter the next lines to include the alternate data streams. powershell Compress-Archive -Path .\ADSTester.txt -Update -DestinationPath ADSTester.zip powershell Expand-Archive -Path ADSTester.zip -DestinationPath .\Extracted\ dir /r Extracted\ADSTester.txt @rem Only one file left :-( pause  
×
×
  • Create New...