Managing LAPS Passwords

[TheyCallMeBacon]

Has anyone had success managing LAPS with AutoIT?  (LAPS is Microsoft's Local Admin Password Solution.)

I am running v3.3.14.2 and Powershell 5.1.17134.858 on Windows 10 1803 build 17134.885.

I have read the entire AutoIT Help file, all of the AD UDF scripts and supporting HTML files, and a large part of the Internet and have researched myself into paralysis.

My company has more than one domain with two-way trusts and use LAPS on each domain.  At present, we remote in to a jump box in each domain when we need to manage a device there. I want to build a multiple-domain console that works just like the LAPS UI, but allows the user to select a domain via pull-down. 

At this point, I can't even get the crazy thing to work on the current domain.  

If I feed it $sComputername = 'T4211BLC1' 

$sComputerName = GUICtrlRead($idComputerName)
    
    $iPID = Run('powershell.exe -executionpolicy bypass Get-AdmPwdPassword "' & $sComputerName & '"', "c:\", @SW_Show, $STDOUT_CHILD)
    ; Wait until the process has closed using the PID returned by Run.
    ProcessWaitClose($iPID)
    ; Read the Stdout stream of the PID returned by Run.
    While 1
        $sOutput = StdoutRead($iPID)
        if @error then ExitLoop
        if $sOutput <> "" Then $sStdout = $sStdout & @CRLF & $sOutput
    WEnd

sends this to the console:

Get-AdmPwdPassword : The term 'Get-AdmPwdPassword' is not recognized as the name of a cmdlet, function, script file, 
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and 
try again.
At line:1 char:1
+ Get-AdmPwdPassword T4211BLC1
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-AdmPwdPassword:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

But if I put this on the Windows command line:

powershell.exe -executionpolicy bypass Get-AdmPwdPassword "T4211BLC1"

...it runs perfectly.

ComputerName         DistinguishedName                             Password           Expiration
                                                                                      Timestamp
------------         -----------------                             --------           ----------
T4211BLC1            CN=T4211BLC1,OU=GPO Computers Testing OU,O... YQc7Cl39wFrIF5     6/10/20...

So (if you're still awake),

1. Why can't Powershell find 'Get-AdmPwdPassword' when called from within AutoIT?
2. Why can't I read STDOUT?

FYI - I've tried ShellExecute, and calling a .ps1 from the script, even Run('cmd /k ...) and I get the same result - Powershell doesn't recognize the cmdlet.

Thanks in advance!!

[water]

Did you try @Comspec as described in the help file?

[Subz]

Here is the code I use, we only have a single domain but you should be able to just change the parameters to connect to different domain.

[TheyCallMeBacon]

1 hour ago, water said:

Did you try @Comspec as described in the help file?

Yes, as 

$iPID = Run(@ComSpec & ' /c ' & 'powershell.exe -executionpolicy bypass Get-AdmPwdPassword "' & $sComputerName & '"', "c:\", @SW_Show, $STDOUT_CHILD)

and I get the same result as above.

 

1 hour ago, Subz said:

Here is the code I use, we only have a single domain but you should be able to just change the parameters to connect to different domain.

The code is missing, but I'd love to see what you have that works!

[Subz]

Sorry have the flu so brains a bit fuzzy at the mo

#include <AD.au3>
Global $g_sComputerName = $CmdLine[0] > 0 ? $CmdLine[1] : @ComputerName
MsgBox(4096, "LAPS Password", _GetLAPSPassword($g_sComputerName))

Func _GetLAPSPassword($_sComputerName, $_sUserId = "", $_sPassword = "", $_sDNSDomain = "", $_sHostServer = "", $_sConfiguration = "", $_iSecurity = 0)
    _AD_Open($_sUserId, $_sPassword, $_sDNSDomain, $_sHostServer, $_sConfiguration, $_iSecurity)
        If @error Then Return SetError(1, @error, "Error: _AD_Open() - See @extended for error code.")
    Local $sFQDN = _AD_SamAccountNameToFQDN($_sComputerName & "$")
        If @error Then Return SetError(2, @error, "Error: _AD_SamAccountNameToFQDN() - See @extended for error code.")
    Local $sLAPSPassword = _AD_GetObjectAttribute($sFQDN, "ms-mcs-admpwd")
        If @error Then Return SetError(3, @error, "Error: _GetObjectAttribute() - See @extended for error code.")
    _AD_Close()
        If @error Then Return SetError(4, @error, "Error: _AD_Close - See @extended for error code.")
    Return SetError(0, 0, $sLAPSPassword)
EndFunc

 

[TheyCallMeBacon]

Holy Crap, Subz!

I don't even have the flu so I have no excuse for overlooking this option, but good use of _AD_GetObjectAttribute.  Next question, since you may have already solved this: I'd like to reset the password in the GUI as well.  I already have the date/time picker sorted, now I just need the AD equivalent to Powershell:

Reset-AdmPwdPassword -ComputerName:MyComputer -WhenEffective:"7.28.2019 15:00"

I know _AD_SetPassword will reset the computer account password, but not the Local Admin password. 

[TheyCallMeBacon]

Holy Crap, Subz!

I don't even have the flu so I have no excuse for overlooking this option, but good use of _AD_GetObjectAttribute.  Next question, since you may have already solved this: I'd like to reset the password in the GUI as well.  I already have the date/time picker sorted, now I just need the AD equivalent to Powershell:

Reset-AdmPwdPassword -ComputerName:MyComputer -WhenEffective:"7.28.2019 15:00"

I know _AD_SetPassword will reset the computer account password, but not the Local Admin password. 

Also - HUGE Thank You to Water for creating the AD UDF to begin with.  I have used it in many other projects. 

[Subz]

Sorry we don't tend to reset the password on our systems, we just use it for viewing, however the attribute that is required is:

"ms-Mcs-AdmPwdExpirationTime"

If you change it to 0 the password will be reset on the next GPUpdate.

[water]

_AD_ModifyAttribute is the function you are looking for