Who Can See LAPS Passwords?

When can you see LAPS passwords?

After I uncovered how easy it is to gain access to a password by moving machines around a domain, I began to think, “What ACLs do you need to access the password?” Using a BadBlood domain I put this question to the test.

This post is quick and dirty.

The reference for this research:

(For LAPS)Read permission is not enough. AD honors the read request for confidential attribute value when at least one of the following is true:

Caller is granted ‘Full Control’ permission

Caller is granted ‘All Extended Rights’ permission

Caller is granted ‘Control Access’ on the attribute permission (this is what LAPS PowerShell uses to grant the permission)

https://blogs.msdn.microsoft.com/laps/2015/06/01/laps-and-password-storage-in-clear-text-in-ad

1. I set up OUs for testing
2. I applied LAPS GPO so computers get LAPS passwords
3. Confirmed LAPS password is set on computer. (Laps Password is blank! Click Expire. Wait. Check Again. Confirm!)
4. Set user object variable for testing with the BadBlood AD_OU_SetACL scripts. (Good old Lillie Gardner. What a perfect name for a LAPS reading person.)
5. Also set a value for ‘inheritance’ to use on the AD_OU_SetACL scripts
6. Set $ou value to an organizational unit I want to use.
   1. First OU I’ll configure is “Badblood.com\Laps Testing\Laps plus extended”
   2. $ou = get-adorganizationalunit ‘<FullDNHere’
7. Load into memory: ‘full control permissions.ps1’ and ‘computer control permissions.ps1’ from Badblood\AD_OU_SetACL. One function loaded with ‘computer control permissions’ is the ReadComputerAdmPwd function, which lets objects read the LAPS attribute.
8. Set permissions! Only to find out I didn’t do something right.
9. Load $guidmap and $extendedrightsmap variables using lines 163 through 178 in Badblood file ‘AD_Permission_Randomizer’
10. Run it again!
    1. ReadComputerAdmPwd -objgroup $user -objOU $OU -inheritanceType $inherittype… Success
    2. Result Laps plus extended right on Laps plus extended OU. (Forget that this “information” write-host says “group”. I granted access to the user.)
11. Edit ReadComputerAdmPwd to only include Computer Extended properties
12. Set OU to Badblood.com\LAPS Testing\Computer All Extended. Run the same code again
    1. The result: Computer Extended rights on Computer All Extended OU
13. Verify work by checking acl via dsa.msc gui. (
    1. Looks like we are all set. Permissions granted for Lillie Gardner as expected
14. Run Full Control and Full Control Computers permissions on the next OUs in the list to test
    1. The result: Permissions added to appropriate OUs
15. Last OU! Add only the ‘ms-mcs-admpwd read rights to Lillie’s user account on the LAPS only OU. (This does not add “Full Control”, “Extended Rights”, or “Control Access” permissions on the OU).
16. Edit ReadComputerAdmPWD to only include ms-mcs-admpwd attribute
17. Run on ReadComputerAdmPWD again
    1. Result: rights added as expected
18. Test All OUs!

The Results

What did I miss? Are there other ACLs that need to be added to this test?

Let me know and I’ll update my test. If LAPS is enabled in your AD environment, make sure you know who can gain administrator privileges to the computer!