GUI: LAPS Password Recovery Tool

The below LAPS Password Recovery Tool For Deleted Objects and those still in AD is created to allow you also recover the Microsoft LAPS administrator password of objects that have been deleted but that are still within the tombstone period of your Active Directory Forest.

This is the only advantage over Microsofts own GUI but is useful if you were to delete lots of machines from Active Directory and subsequently need to get in to it without restoring the object.

It will need to be run as an account that has permissions to ready the ms-Mcs-AdmPwd property and requires the Active Directory PowerShell module to be available (RSAT)



The GUI first uses the below to get the LAPs password for those machines that exist in AD.

Get-ADComputer -Identity $ComputerName -properties * | Select-Object Name, ms-Mcs-AdmPwd, Modified -ExpandProperty ms-mcs-admpwd

If it is unable to locate the machine in AD it will then check for deleted items that match the name

Download Available Upon Request

Get-ADObject -Filter { (isdeleted -eq $true) -and (name -ne "Deleted Objects") -and (name -like $DeletedObjectsComputerName) } -includeDeletedObjects -property * | Select-Object Name, ms-Mcs-AdmPwd, Modified -ExpandProperty ms-mcs-admpwd

It does various checks for the AD Module, Blank computer name and also provides meaningful errors for machines it can find with no LAPs password and those it cannot find.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.