Microsoft LAPS

robert.mueller Member Posts: 2
edited December 2023 in Scripts


we are a new Atera customer and wondered, that we did not find anything about LAPS in the forum or script library.

BTW: it would be helpful to share scripts where you can define variables for critical information. Like the API key. So that the key is not written in plain in the script and only referring to the on in our tenant. Otherwise, we need to make a copy of the script without the API key and then share it…

The following script contains some german terms which need to be changed in an english environment (like Administratoren / Administrators…). The part with the second admin account (admin_lokal) is optional. The script changes the passwords and writes them to the corresponding custom fields in Atera.

Advantages to Microsoft LAPS: You don't have to look up the passwords in AD and this works completely without AD. No changes at the scheme necessary.


$AteraAPIKey = 'xyz'
$CustomFieldNameAdmin = 'LAPS Administrator'
$CustomFieldNameLocalAdmin = 'LAPS admin_lokal'
$LocalAdminUser = 'admin_lokal'
$DefaultAdminUser = 'Administrator'

Install nuget

Set-ExecutionPolicy Bypass -Scope Process -Force;
Install-PackageProvider NuGet -Force
Import-PackageProvider NuGet -Force

Install and load the right version of Atera module

if (!(Get-Module -ListAvailable -Name PSAtera)) {
Install-Module -Name PSAtera -MinimumVersion 1.3.1 -Force
Import-Module -Name PSAtera -MinimumVersion 1.3.1

Set Atera API Key

Set-AteraAPIKey -APIKey $AteraAPIKey

Function to generate a random password

Function Generate-RandomPassword {
$PasswordLength = 18
$PasswordChars = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz23456789#!-._?,"
$RandomPassword = ''
For ($i = 0; $i -lt $PasswordLength; $i++) {
$RandomPassword += $PasswordChars[(Get-Random -Maximum $PasswordChars.Length)]
return $RandomPassword

Get the agent information for the PC that's running the script

$agent = Get-AteraAgent

Process for Default Administrator Account

$DefaultAdminAccount = ADSI
$NewPasswordDefaultAdmin = Generate-RandomPassword
$DefaultAdminAccount.psbase.Invoke("SetPassword", $NewPasswordDefaultAdmin)
$DefaultAdminAccount.psbase.InvokeSet('AccountDisabled', $true)
Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameAdmin -Value $NewPasswordDefaultAdmin

try {
$exists = [ADSI]::Exists("WinNT://./$LocalAdminUser,user")
catch {
$exists = $false

Check if local admin_lokal account exists, if not, create it

$LocalAdminAccount = ADSI
if (-not ($exists)) {
$NewLocalAdminAccount = ADSI
$NewUser = $NewLocalAdminAccount.Create("User", $LocalAdminUser)
$PasswordNewUser = Generate-RandomPassword
$NewUser.psbase.InvokeSet('AccountDisabled', $false)
# Add to Administrators group
$AdminGroup = ADSI

Set random password for local admin_lokal account

$NewPasswordLocalAdmin = Generate-RandomPassword
$LocalAdminAccount.psbase.Invoke("SetPassword", $NewPasswordLocalAdmin)
$LocalAdminAccount.psbase.InvokeSet('AccountDisabled', $false)

Update the custom field in Atera for local admin_lokal account

Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameLocalAdmin -Value $NewPasswordLocalAdmin

Optionally, add steps here for logging or notification

Write-Output "Administrator and admin_lokal accounts processed."


  • KaMIT
    KaMIT Member Posts: 1

    is this a working script or a script in progress? could you post it as code?

  • robert.mueller
    robert.mueller Member Posts: 2

    Hello KaMIT,

    the script works, we have used it on several clients.

    What do you mean? You can create a new .ps1 script and copy the text into the editor.

  • mjones
    mjones Member Posts: 143 ✭✭✭✭

    I think he means as a code block to preserve the formatting.

    I have submitted a number of scripts to the share, but none have been approved yet (not LAPS though).
    Agreed that it would be really nice to not have to duplicate and generalize the script so we could share it.