LAPS for preventing credential theft in a Windows domain

Find-AdmPwdExtendedRights -Identity “ou=clients,dc=test,dc=local”
Get-AdmPwdPassword TestClientmstsc /w:1024 /h:800 /v:TestClient
Set-AdmPwdAuditing -OrgUnit “ou=clients,dc=test,dc=local” -AuditedPrincipals:Everyone
Reset-AdmPwdPassword TestClientIIIInvoke-GPUpdate TestClientIII
$computers = Get-ADComputer -Filter * -SearchBase “ou=clients,dc=test,dc=local”$computers | ForEachObject -Process {Reset-AdmPwdPassword -Computer $}$computers | ForEachObject -Process {Invoke-GPUpdate -Computer $ -RandomDelayInMinutes 0 -Force}
Get-AdmPwdPassword TestClient
Get-ADComputer TestClient -Properties ms-Mcs-AdmPwd
Get-ADComputer TestClient -Properties * | Select-Object SamAccountName, ms-Mcs-AdmPwd



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.