• State Verified Answer
  • Replies 3 replies
  • Subscribers 66 subscribers
  • Views 581 views
  • Users 0 members are here
Options
Related

How to properly display LAPS information

b zeller
1 month ago

Dear all,

I am currently trying to display LAPS related information in the ARS Webinterface.

For this purpose I exposed the following 2 attributes:

"msLAPS-Password" and "msLAPS-PasswordExpirationTime"

msLAPS-PasswordExpirationTime displays fine as a date so this is okay.

However msLAPS-Password shows more than it must as it contains the whole string stored in AD which is like "{"n":"<admin_username>","t":"<timestamp>?","p":"<actual_password"}

I need to display only the password, so everything in the quotes after "p:".

How can this be achieved?

Thanks,

Ben

Parents
  • +1 1 month ago

    I tackled this with a virtual attribute and a policy script.  below is a copy of my script and I have it set in a policy which applies to the computers setup for LAPS.  

    function onPostGet($Request){

    if($Request.Class -ne "computer") {return}
    if ($Request.IsAttributeRequested("LAPSPassword") -eq $false) {return}

    $machineName = $Request.Get("sAMAccountName")

    try {
    $customValue = Get-LapsADPassword -Identity $machineName -AsPlainText | ForEach-Object { $_.Password }

    }
    catch {
    # An error occurred
    $customValue = "An error occurred, verify that this computer is registered with LAPS"
    }

    $strAttrname = "LAPSPassword"

    $Request.Put($strAttrname, $customValue)


    } #end request class

  • 0 1 month ago in reply to nicole perrine

    Thats sounds promising. I got quite far, however, can you elaborate how to configure the policy? I'm kinda lost here how to set and apply it.

  • +1 1 month ago in reply to b zeller

    I apply the script in a policy that is assigned to the objects with a LAPS password.  Take either an existing policy applied to the OU/objects with LAPS or create a new one and apply it .  Add a policy to run a script and select the script you created.  The script has to be a policy script and not a schedule script .  On the parameters page, I select the onPostGet function.

Reply
  • +1 1 month ago in reply to b zeller

    I apply the script in a policy that is assigned to the objects with a LAPS password.  Take either an existing policy applied to the OU/objects with LAPS or create a new one and apply it .  Add a policy to run a script and select the script you created.  The script has to be a policy script and not a schedule script .  On the parameters page, I select the onPostGet function.

Children
No Data