DSInternals icon indicating copy to clipboard operation
DSInternals copied to clipboard

Published 20 hours ago verified publisher icon MichaelGrafnetter

Windows LAPS in Get-ADReplAccount / Get-ADDBAccount Empty

Open SimonSixty opened this issue 7 months ago • 2 comments

I just tested DSInternals Version 5.3 and tried to get the Windows LAPS Encrypted DSRM Password on Windows Server 2025 from the NTDS DB but it doesn't show up in the outputs.

Are the DSRM Passwords not supported yet or is it an issue? I will try normal "lokal admin" passwords now.

Get-ADDBAccount -BootKey $bootkey -SamAccountName xx-vdc02$ -DatabasePath C:\Temp\NTDS\ntds.dit

LastLogonDate: 24.04.2025 11:30:58 PasswordLastSet: 24.04.2025 11:40:01 SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited, SelfRelative LAPS Key Credentials Secrets NTHash: 3dfc8164a413057d1e0f0d6238e44429 ...

SimonSixty avatar Apr 24 '25 14:04 SimonSixty

Hi @SimonSixty , encrypted LAPS passwords are currently work in progress. Only unencrypted Windows LAPS and Legacy LAPS passwords are supported in version 5.3.

MichaelGrafnetter avatar Apr 24 '25 14:04 MichaelGrafnetter

Thank you so much for your quick respond @MichaelGrafnetter im looking forward to that in the future! thanks for your great work!

SimonSixty avatar Apr 24 '25 14:04 SimonSixty

Hi @SimonSixty , code for Windows LAPS decryption is online, with a release planned for the next week. It was not easy. This is a sneak peak:

Get-ADDBAccount -DatabasePath '.\ntds.dit' -All -Properties LAPS |
    Select-Object -ExpandProperty LapsPasswords

Sample output:

ComputerName Account       Password                 Expires   Source
------------ -------       --------                 -------   -----                                                                                                                                                
DC01         Administrator PluralTrimmingSuggest    2/3/2025  EncryptedDSRMPassword
DC02         Administrator RoundupFructoseRoundworm 2/3/2025  EncryptedDSRMPassword
ADFS01       WLapsAdmin    HerbsSkidUnproven        2/3/2025  EncryptedPassword
PC01         Administrator A6a3#7%eb!57be4a4B95Z433 1/24/2025 CleartextPassword

As you can see, LAPS encrypted DSRM passwords are supported as well, enabling some crazy AD disaster recovery scenarios. Is this what you had in mind?

MichaelGrafnetter avatar Jul 05 '25 19:07 MichaelGrafnetter

Hey @MichaelGrafnetter , that looks perfectly! Thank you so much for all of your effort! Thats what i had in mind, especially for AD disaster recovery or regular backups of the "Encrypted LAPS Passwords" to an outside source, like an encrypted *.csv.

SimonSixty avatar Jul 07 '25 09:07 SimonSixty

@SimonSixty Released! If you get to test the new functionality, I would be happy for any feedback.

MichaelGrafnetter avatar Jul 10 '25 10:07 MichaelGrafnetter