A small script for export Computers LAPS Password information from Active Directory to csv file.
Script generates a CSV file with computer names and LAPS Passwords.
ComputerName;OperatingSystem;Password;PasswordExpTime;DistinguishedName
ComputerName;OperatingSystem;Password;PasswordExpTime;DistinguishedName
Requirement of the script:
- Active Directory PowerShell Module
- Needed rights to view AD LAPS Attributes: ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
Example of usage:
- Active Directory PowerShell Module
- Needed rights to view AD LAPS Attributes: ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
Example of usage:
[PS].\Get-ADComputers-LAPS-Password.ps1
[PS].\Get-ADComputers-LAPS-Password.ps1 -OU "OU=Computers,OU=IT Department,DC=myDomain,DC=com"
[PS].\Get-ADComputers-LAPS-Password.ps1 -OU "OU=Computers,OU=IT Department,DC=myDomain,DC=com"
Links for download
PowerShell Gallery | Get-ADComputers-LAPS-Password
GitHub | Get-ADComputers-LAPS-Password.ps1
Get-ADComputers-LAPS-Password.zip
Example of reports
in csv file
in MS Excel
Get-ADComputers-LAPS-Password.ps1
#.\Get-ADComputers-LAPS-Password.ps1 #---------------------------------------------------------[Initialisations]-------------------------------------------------------- [CmdletBinding()] Param( [Parameter(Mandatory=$false, HelpMessage="Enter OU, example: OU=Computers,OU=ITDep,DC=contoso,DC=com", ValueFromPipelineByPropertyName=$true)] [string]$OU, [Parameter(Mandatory=$false, HelpMessage="Enter path for log file, example: C:\Scripts", ValueFromPipelineByPropertyName=$true)] [string]$LogFilePath = ".\", [Parameter(Mandatory=$false, HelpMessage="Enter log file Name", ValueFromPipelineByPropertyName=$true)] [string]$LogFileName = "LAPS-Password_$(Get-Date -f 'yyyy-MM-dd').csv" ) Import-Module ActiveDirectory #To separating fields for report $strDelimiter = ";" if (-Not (Test-Path -PathType Container $LogFilePath)){ $LogFilePath = New-Item -ItemType Directory -Force -Path $LogFilePath } if ($LogFilePath.Substring($LogFilePath.Length-1) -eq "\" -or $LogFilePath.Substring($LogFilePath.Length-1) -eq "/"){ } else { $LogFilePath = $LogFilePath + "\" } $LogFile = $LogFilePath + $LogFileName #Report file $LogFile if (Test-Path $LogFile){ #Remove-Item $LogFile Clear-Content $LogFile } else { $LogFile = New-Item -Path $LogFilePath -Name $LogFileName -ItemType File } write-host write-host "Script start" $(Get-Date) write-host #Set scope #Get computers info if ($OU -ne "") { Write-Host "Organizational Unit:" $OU $Computers = Get-ADComputer -Filter 'ObjectClass -eq "computer"' -Property * -SearchBase $OU } else { Write-Host "Domain:" $env:userdnsdomain $Computers = Get-ADComputer -Filter 'ObjectClass -eq "computer"' -Property * } write-host "Report File Path:" $LogFile #Write report header $strToReport = "ComputerName" + $strDelimiter + "OperatingSystem" + $strDelimiter + "Password" + $strDelimiter + "ExpTime" + $strDelimiter + "DistinguishedName" Add-Content $LogFile $strToReport #Get LAPS Info #Write report foreach ($Computer in $Computers) { if ($Computer.'ms-Mcs-AdmPwd'){ $strComputerPassword=$Computer.'ms-Mcs-AdmPwd' $strComputerExpTime = $Computer.'ms-MCS-AdmPwdExpirationTime' if ($strComputerExpTime -ge 0) {$strComputerExpTime = $([datetime]::FromFileTime([convert]::ToInt64($strComputerExpTime)))} $strComputerExpTime = "{0:yyyy-MM-dd HH:mm:ss}" -f [datetime]$strComputerExpTime $strToReport = $Computer.Name + $strDelimiter + $Computer.OperatingSystem + $strDelimiter + """$strComputerPassword""" + $strDelimiter + """$strComputerExpTime""" + $strDelimiter + $Computer.DistinguishedName Add-Content $LogFile $strToReport } } write-host write-host "Script end" $(Get-Date) write-host
Links for download
PowerShell Gallery | Get-ADComputers-LAPS-Password
GitHub | Get-ADComputers-LAPS-Password.ps1
Get-ADComputers-LAPS-Password.zip
I've set up LAPS in my test domain and verified that it is functioning. When I run this script all I get is a .csv file with one field containing "ComputerName;OperatingSystem;Password;ExpTime;DistinguishedName
ReplyDelete" and nothing else. I've tried running it with no parameters and specifying the OU where my test device is located. No error messages are generated. Any idea what I may be doing wrong?
Did you see computer password in LAPS UI?
DeleteLAPS on Administrator Workstation
Note:
You needed rights to view AD LAPS Attributes: ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
Link for download Get-ADComputers-LAPS-Password.ps1
Get-ADComputers-LAPS-Password.ps1
I found the problem. I feel dumb.
ReplyDeleteI don't know why I got no error message the first time I ran it, but I pulled a fresh copy from your link and ran it today. This time it generated a blank csv file and threw up an error message that made me recognize the problem.
I was running the script from the admin workstation I used to set up LAPS in my test environment. When I run it from a domain controller it works beautifully. Thanks.
That is not a small script. This is and return LAPS passwords and expiration dates:
ReplyDelete$Computers = Get-ADComputer -Filter {ms-Mcs-AdmPwd -notlike ''} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Select DistinguishedName, Name, @{n='ms-Mcs-AdmPwdExpirationTime';e={[DateTime]::FromFileTime($_.'ms-Mcs-AdmPwdExpirationTime')}}
$Computers | Format-Table -AutoSize DistinguishedName, Name, ms-Mcs-AdmPwd
Read-Host