├── LAPS_Permissions_Collection.ps1 ├── LICENSE └── README.md /LAPS_Permissions_Collection.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Author: Kevin Joyce 3 | 4 | Requirements: Active Directory PowerShell module, Domain Administrator privileges (to ensure the capability to get attribute GUIDs and view all permissions on all computer objects) 5 | 6 | Description: Looks up permissions within Active Directory on a target (OU or Computer) to determine access to LAPS attributes (ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd). 7 | 8 | Usage: Popuplate the $target varbiable with the DN of a computer object, or OU to search for computer objects within. 9 | 10 | To output the results to a text file run the following .\LAPS_Permissions_Collection.ps1 > output.txt 11 | #> 12 | 13 | Import-Module ActiveDirectory 14 | ##Get the GUID of the extended attributes ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd from Schema 15 | $schemaIDGUID = @{} 16 | Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(|(name=ms-Mcs-AdmPwdExpirationTime)(name=ms-Mcs-AdmPwd))' -Properties name, schemaIDGUID | 17 | ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)} 18 | 19 | <# **REPLACE DN VARIABLE BELOW** 20 | Declare the distinguishedName of the Computer object directly or OU to search for computers within#> 21 | $target = 'CN=Computers,DC=COMPANY,DC=NET' 22 | 23 | ##Get distinguished name of all Computer objects from the OU or of the target itself 24 | $computers = Get-ADComputer -SearchBase $target -Filter {name -like '*'} 25 | 26 | 27 | <#Get objects that have specific permissions on the target(s): 28 | 29 | Full Control(GenericAll) 30 | Read All Properties(GenericRead) 31 | Write all Properties (WriteProperty where ObjectType = 00000000-0000-0000-0000-000000000000 32 | 33 | #> 34 | Set-Location ad: 35 | foreach ($computer in $computers){ 36 | (Get-Acl $computer.distinguishedname).access | 37 | Where-Object { (($_.AccessControlType -eq 'Allow') -and ($_.activedirectoryrights -in ('GenericRead','GenericAll') -and $_.inheritancetype -in ('All', 'None')) -or (($_.activedirectoryrights -like '*WriteProperty*')-or ($_.activedirectoryrights -like '*GenericRead*') -and ($_.objecttype -eq '00000000-0000-0000-0000-000000000000')))} | 38 | ft ([string]$computer.name),identityreference, activedirectoryrights, objecttype, isinherited -autosize 39 | } 40 | <#Get objects that have specific permissions on the target(s) and specifically the LAPS attributes: 41 | 42 | WriteProperty 43 | ReadProperty 44 | 45 | #> 46 | Set-Location ad: 47 | foreach ($computer in $computers){ 48 | (Get-Acl $computer.distinguishedname).access | 49 | Where-Object {(($_.AccessControlType -eq 'Allow') -and (($_.activedirectoryrights -like '*WriteProperty*') -or ($_.activedirectoryrights -like '*ReadProperty*')) -and ($_.objecttype -in $schemaIDGUID.Keys))} | 50 | ft ([string]$computer.name),identityreference, activedirectoryrights, objecttype, isinherited -AutoSize 51 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Netwrix Corporation 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # LAPS Permissions Collection 2 | LAPS Permissions Collection script by Kevin Joyce 3 | 4 | ## Description 5 | Looks up permissions within Active Directory on a target (OU or Computer) to determine access to LAPS attributes (ms-Mcs-AdmPwdExpirationTime and ms-Mcs-AdmPwd). 6 | Requirements: Active Directory PowerShell module, Domain Administrator privileges (to ensure the capability to get attribute GUIDs and view all permissions on all computer objects) 7 | 8 | 9 | ## Usage 10 | 1. Popuplate the $target varbiable with the DN of a computer object, or OU to search for computer objects within. 11 | 2. OPTIONAL: To output the results to a text file run the following .\LAPS_Permissions_Collection.ps1 > output.txt 12 | --------------------------------------------------------------------------------