LAPS Password Report

by Robert Allen

In this guide, I’ll show you how to create a LAPS password report using the AD Pro Toolkit.

When you install LAPS it extends the Active Directory schema and adds two new attributes.

  • ms-Mcs-AdmPwd – This attribute saves the computer’s administrator password.
  • ms-Mcs-AdmPwdExpirationTime – This attribute saves the password expiration timestamp.

You can then use the LAPS UI tool or PowerShell to view the LAPS password on individual computers.

If you want to get the LAPS password on all computers you can use our AD Reporting Tool. This report can be used for auditing which computers have LAPS enabled or for compliance and security needs.

In the screenshot above you can see I have LAPS enabled on 4 computers and the tool is displaying the password and expiration time. The other computers do not have LAPS enabled.

To generate the LAPS Password report click on Reports -> Computers.

Click on any report from the left side menu. For example, I’ll use the All Computers report.

Next, click on the Columns button and add the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.

Now click the Run button to generate the report.

I DO NOT recommend exporting the report. The report contains the password for the local administrator account on each computer. This is something you don’t want to share or have sitting on your network.

The AD Pro Toolkit includes over 200 built-in Active Directory reports for users, computers, group policy, and security. It also includes a task scheduler to automate daily, weekly, or monthly reports.

Download Free Trial of the AD Pro Toolkit.

Leave a Comment