Powershell: Monitor LAPS

post views: 8,182

LAPS is Microsoft’s “Local Administrator Password Solution” and is a hot topic when talking about cyber security and what measures to take, when fighting the cyber criminals. Read more about LAPS here.

This is just something short and sweet, and a very simple powershell script to monitor and read all computer objects in specified OUs in Active Directory, read the relevant attributes of the object, and if LAPS attributes are empty (hence no LAPS active), then list the objects in a list and send it as an email.

You can run the script on a schedule using Task Scheduler, and this way monitor which computers in your Active Directory that’s missing LAPS.

<#
.DESCRIPTION
This scripts runs through all computer objects in specified OUs. If ms-Mcs-AdmPwdExpirationTime is empty, return to list and send email containing the list.

.AUTHOR
Martin Bengtsson
#>

try {
    Import-Module ActiveDirectory -ErrorAction Stop -Verbose:$false
} catch {
    Write-Error "Active Directory module failed to Import. Terminating the script. More details : $_"
    exit(1)
}

#Email SMTP variables
$AnonUsername = "anonymous"
$AnonPassword = ConvertTo-SecureString -String "anonymous" -AsPlainText -Force
$AnonCredentials = New-Object System.Management.Automation.PSCredential($AnonUsername,$AnonPassword)
$SMTPServer = "INSERT YOUR SMTP SERVER”
$To = "INSERT RECIPIENTS"
$From = "Active Directory Monitor <SENDER@SENDER.COM>"
$Subject = "Computers (Servers) Missing LAPS Password"

$OUs = "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=CONTOSO,DC=COM"

#Loop through all computers in specified OUs. Also filtering on OU, OS and LAPS password already set
$Computers = ForEach ($OU in $OUs) {
Get-ADComputer -SearchBase $OU -SearchScope 'Subtree' -Filter * -Properties * | Where-Object {($_.DistinguishedName -notlike "*OU=Inactive,OU=Servers*") -AND ($_.'ms-Mcs-AdmPwdExpirationTime' -eq $null) -AND ($_.OperatingSystem -like "Windows Server*")} | Select-Object Name, ms-Mcs-AdmPwdExpirationTime, OperatingSystem
}

$Count = $Computers.Count
Write-Host -ForegroundColor Yellow "Count is" $Count
$Body = "<b>Following computers has no LAPS-password stored in Active Directory and are therefore not protected by LAPS: (Count: $Count)</b><br>"

#Add each computer found into body-variable
ForEach ($Computer in $Computers){

    $Body += "<br>" + $Computer.Name
}
#If no computers found, replace body
If ($Computers -eq $null){
    $Body = "No servers are missing LAPS - congratulation"
    Write-Host -ForegroundColor Yellow "No servers are missing LAPS"
}
#Sends the email
Send-MailMessage -To $To -From $From -Subject $Subject -Body $Body -smtpServer $SMTPServer -BodyAsHtml -Credential $AnonCredentials

Preview of the email being sent:

2 thoughts on “Powershell: Monitor LAPS”

Is there a way to put this on an excel?

Just realized this was exporting from AD. Is there a script for exporting from INTUNE, and output in EXCEL.

2 thoughts on “Powershell: Monitor LAPS”

Leave a Comment Cancel reply