Overview
LAPS (Local Administrator Password Solution) manages local admin passwords on domain-joined machines. Passwords are stored in Active Directory as thems-Mcs-AdmPwd attribute. If you have read access to this attribute, you get the local admin password in cleartext.
Check if LAPS is Installed
On Target
Check AD Schema
Read LAPS Password
PowerShell (AD Module)
Specific Computer
PowerView
LAPS Toolkit
From Linux (Remote)
CrackMapExec
ldapsearch
Impacket
GetADUsers only enumerates user accounts — it won’t read LAPS attributes. Use GetLAPSPassword:
pyLAPS
LAPS v2 (Windows LAPS)
Windows LAPS (newer) stores the password as a JSON blob in themsLAPS-Password attribute in clear text. When password encryption is enabled, the value moves to the separate msLAPS-EncryptedPassword attribute.
Check
Read with Authorized Account
Who Can Read LAPS?
Find Delegated Groups
Check ACLs
Post-Exploitation
Quick Reference
| Tool | Where | Notes |
|---|---|---|
| PowerShell AD module | Target | Get-ADComputer |
| PowerView | Target | Get-DomainComputer |
| LAPSToolkit | Target | Find delegated groups |
| CrackMapExec | Attacker | —module laps |
| ldapsearch | Attacker | Direct LDAP query |
| pyLAPS | Attacker | Standalone Python |