Microsoft LAPS

robert.mueller
robert.mueller Member Posts: 3
edited December 2023 in Scripts

Hi,

we are a new Atera customer and wondered, that we did not find anything about LAPS in the forum or script library.

BTW: it would be helpful to share scripts where you can define variables for critical information. Like the API key. So that the key is not written in plain in the script and only referring to the on in our tenant. Otherwise, we need to make a copy of the script without the API key and then share it…

The following script contains some german terms which need to be changed in an english environment (like Administratoren / Administrators…). The part with the second admin account (admin_lokal) is optional. The script changes the passwords and writes them to the corresponding custom fields in Atera.

Advantages to Microsoft LAPS: You don't have to look up the passwords in AD and this works completely without AD. No changes at the scheme necessary.

Script:

$AteraAPIKey = 'xyz'
$CustomFieldNameAdmin = 'LAPS Administrator'
$CustomFieldNameLocalAdmin = 'LAPS admin_lokal'
$LocalAdminUser = 'admin_lokal'
$DefaultAdminUser = 'Administrator'

Install nuget

Set-ExecutionPolicy Bypass -Scope Process -Force;
Install-PackageProvider NuGet -Force
Import-PackageProvider NuGet -Force

Install and load the right version of Atera module

if (!(Get-Module -ListAvailable -Name PSAtera)) {
Install-Module -Name PSAtera -MinimumVersion 1.3.1 -Force
}
Import-Module -Name PSAtera -MinimumVersion 1.3.1

Set Atera API Key

Set-AteraAPIKey -APIKey $AteraAPIKey

Function to generate a random password

Function Generate-RandomPassword {
$PasswordLength = 18
$PasswordChars = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz23456789#!-._?,"
$RandomPassword = ''
For ($i = 0; $i -lt $PasswordLength; $i++) {
$RandomPassword += $PasswordChars[(Get-Random -Maximum $PasswordChars.Length)]
}
return $RandomPassword
}

Get the agent information for the PC that's running the script

$agent = Get-AteraAgent

Process for Default Administrator Account

$DefaultAdminAccount = ADSI
$NewPasswordDefaultAdmin = Generate-RandomPassword
$DefaultAdminAccount.psbase.Invoke("SetPassword", $NewPasswordDefaultAdmin)
$DefaultAdminAccount.psbase.InvokeSet('AccountDisabled', $true)
$DefaultAdminAccount.psbase.CommitChanges()
Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameAdmin -Value $NewPasswordDefaultAdmin

try {
$exists = [ADSI]::Exists("WinNT://./$LocalAdminUser,user")
}
catch {
$exists = $false
}

Check if local admin_lokal account exists, if not, create it

$LocalAdminAccount = ADSI
if (-not ($exists)) {
$NewLocalAdminAccount = ADSI
$NewUser = $NewLocalAdminAccount.Create("User", $LocalAdminUser)
$PasswordNewUser = Generate-RandomPassword
$NewUser.SetPassword($PasswordNewUser)
$NewUser.SetInfo()
$NewUser.psbase.InvokeSet('AccountDisabled', $false)
$NewUser.SetInfo()
$NewUser.psbase.CommitChanges()
# Add to Administrators group
$AdminGroup = ADSI
$AdminGroup.Add("WinNT://$LocalAdminUser,user")
}

Set random password for local admin_lokal account

$NewPasswordLocalAdmin = Generate-RandomPassword
$LocalAdminAccount.psbase.Invoke("SetPassword", $NewPasswordLocalAdmin)
$LocalAdminAccount.psbase.InvokeSet('AccountDisabled', $false)
$LocalAdminAccount.psbase.CommitChanges()

Update the custom field in Atera for local admin_lokal account

Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameLocalAdmin -Value $NewPasswordLocalAdmin

Optionally, add steps here for logging or notification

Write-Output "Administrator and admin_lokal accounts processed."

Comments

  • KaMIT
    KaMIT Member Posts: 1

    is this a working script or a script in progress? could you post it as code?

  • robert.mueller
    robert.mueller Member Posts: 3

    Hello KaMIT,

    the script works, we have used it on several clients.

    What do you mean? You can create a new .ps1 script and copy the text into the editor.

  • mjones
    mjones Member Posts: 176 ✭✭✭✭

    I think he means as a code block to preserve the formatting.


    I have submitted a number of scripts to the share, but none have been approved yet (not LAPS though).
    Agreed that it would be really nice to not have to duplicate and generalize the script so we could share it.

  • stuarthill
    stuarthill Member Posts: 10 ✭✭
    edited June 28
    CLS
    
    ######### https://community.atera.com/discussion/323/microsoft-laps
    ######### Thanks to Robert Mueller
    
    $AteraAPIKey = '0123456789'
    $CustomFieldNameAdminUN = 'LAPS Username'
    $CustomFieldNameAdminPW = 'LAPS Password'
    $LocalAdminUser = 'LOCALadmin'
    $DefaultAdminUser = 'Administrator' Install nuget Set-ExecutionPolicy Bypass -Scope Process -Force
    Install-PackageProvider NuGet -Force
    Import-PackageProvider NuGet -Force Install and load the right version of Atera module if (!(Get-Module -ListAvailable -Name PSAtera)) {
    Install-Module -Name PSAtera -MinimumVersion 1.3.1 -Force
    }
    Import-Module -Name PSAtera -MinimumVersion 1.3.1 Set Atera API Key Set-AteraAPIKey -APIKey $AteraAPIKey #Function to generate a random password Function Generate-RandomPassword {
    $PasswordLength = 10
    $PasswordChars = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz23456789#!-._?,"
    $RandomPassword = ''
    For ($i = 0; $i -lt $PasswordLength; $i++) {
    $RandomPassword += $PasswordChars[(Get-Random -Maximum $PasswordChars.Length)]
    }
    return $RandomPassword
    } #Get the agent information for the PC that's running the script $agent = Get-AteraAgent #Process for Default Administrator Account $DefaultAdminAccount = [ADSI]"WinNT://./$DefaultAdminUser,user"
    $NewPasswordDefaultAdmin = Generate-RandomPassword
    $DefaultAdminAccount.PSBase.Invoke("SetPassword", $NewPasswordDefaultAdmin)
    $DefaultAdminAccount.PSBase.InvokeSet('AccountDisabled', $true)
    $DefaultAdminAccount.PSBase.CommitChanges()
    try {
    $exists = [ADSI]::Exists("WinNT://./$LocalAdminUser,user")
    }
    catch {
    $exists = $false
    } #Check if local admin_local account exists, if not, create it $LocalAdminAccount = [ADSI]"WinNT://./$LocalAdminUser,user"
    if (-not $exists) {
    $NewLocalAdminAccount = [ADSI]"WinNT://.,computer"
    $NewUser = $NewLocalAdminAccount.Create("User", $LocalAdminUser)
    $PasswordNewUser = Generate-RandomPassword
    $NewUser.SetPassword($PasswordNewUser)
    $NewUser.SetInfo()
    $NewUser.PSBase.InvokeSet('AccountDisabled', $false)
    $NewUser.SetInfo()
    $NewUser.PSBase.CommitChanges() # Add user to Administrators group using net localgroup
    $addToGroupResult = net localgroup Administrators /add $LocalAdminUser
    if ($addToGroupResult -match "The command completed successfully.") {
    Write-Output "Successfully added $LocalAdminUser to Administrators group."
    } else {
    Write-Output "Failed to add $LocalAdminUser to Administrators group. Output: $addToGroupResult"
    } } #Set random password for local admin account $NewPasswordLocalAdmin = Generate-RandomPassword
    $LocalAdminAccount.PSBase.Invoke("SetPassword", $NewPasswordLocalAdmin)
    $LocalAdminAccount.PSBase.InvokeSet('AccountDisabled', $false)
    $LocalAdminAccount.PSBase.CommitChanges() #Update the custom field in Atera for local admin_local account Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameAdminUN -Value $LocalAdminUser
    Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameAdminPW -Value $NewPasswordLocalAdmin #Optionally, add steps here for logging or notification Write-Output "Administrator and $LocalAdminUser accounts processed."


    Thanks @robert.mueller

    I took the code and tweaked it a bit via ChatGPT, pasted it back here (pasting it lost some of the powershell syntax such as some "#" but I hope it is ok!)

    This script expects that your agents have the custom fields "LAPS Username' and 'LAPS Password'

    I had a nightmare getting powershell to recognise that the user existed and could be added to the group so dumbed it down to use "net groups" command instead

    Also this Atera code box formatting is whack !

  • robert.mueller
    robert.mueller Member Posts: 3

    Hello again,

    the script does not seem to update the custom fields in Atera anymore. The users and passwords are set on the client, and the script output does not give any error.

    Has something changed?

  • stuarthill
    stuarthill Member Posts: 10 ✭✭

    Apologies @robert.mueller I don't often visit these pages so have only recently seen your reply.

    The script is working for me here still creating/updating passwords and also updating the Atera console with the new detail.

    If you are still having problems we can liaise directly to see if any information I can provide helps to resolve it.