The below LAPS Password Recovery Tool For Deleted Objects and those still in AD is created to allow you also recover the Microsoft LAPS administrator password of objects that have been deleted but that are still within the tombstone period of your Active Directory Forest.
This is the only advantage over Microsofts own GUI but is useful if you were to delete lots of machines from Active Directory and subsequently need to get in to it without restoring the object.
It will need to be run as an account that has permissions to ready the ms-Mcs-AdmPwd property and requires the Active Directory PowerShell module to be available (RSAT)
Read more “GUI: LAPS Password Recovery Tool”
The below can be run as a scheduled task to detect Active Directory User accounts that have passwords that expire today. Any objects where the password is due to expire today will automatically have the “Change password at next logon” ticked meaning that they wont suddenly lose connection to things such as mapped drives at the original expiry time.
Credit to Andrew Lyonette for turning my “Why dont you solve it like this” in to the script below.
Read more “Auditing: Reset Passwords That Expire Today”
This is a PowerShell Function written to obtain a users password expiry date and time in a friendly format. It allows you to search using a username, first name or surname. This may be useful on a helpdesk to ascertain if the issue a user is experiencing is due to password expiry.
Read more “Function: Get AD User Password Expiry Date/Time”
A simple password generator to get away from people using CompanyNameYear formats and variations of Password – This is by no means meant to be a super secure way of generating passwords and I am aware of the inherent risks of using get random. This is simply a way to generate a password for an end user that will be awkward enough that they change it immediately whilst getting away from people setting password2017! and similar.
Read more “GUI: Password Generator”