Microsoft LAPS
Hi,
we are a new Atera customer and wondered, that we did not find anything about LAPS in the forum or script library.
BTW: it would be helpful to share scripts where you can define variables for critical information. Like the API key. So that the key is not written in plain in the script and only referring to the on in our tenant. Otherwise, we need to make a copy of the script without the API key and then share it…
The following script contains some german terms which need to be changed in an english environment (like Administratoren / Administrators…). The part with the second admin account (admin_lokal) is optional. The script changes the passwords and writes them to the corresponding custom fields in Atera.
Advantages to Microsoft LAPS: You don't have to look up the passwords in AD and this works completely without AD. No changes at the scheme necessary.
Script:
$AteraAPIKey = 'xyz'
$CustomFieldNameAdmin = 'LAPS Administrator'
$CustomFieldNameLocalAdmin = 'LAPS admin_lokal'
$LocalAdminUser = 'admin_lokal'
$DefaultAdminUser = 'Administrator'
Set-ExecutionPolicy Bypass -Scope Process -Force;
Install-PackageProvider NuGet -Force
Import-PackageProvider NuGet -Force
if (!(Get-Module -ListAvailable -Name PSAtera)) {
Install-Module -Name PSAtera -MinimumVersion 1.3.1 -Force
}
Import-Module -Name PSAtera -MinimumVersion 1.3.1
Set-AteraAPIKey -APIKey $AteraAPIKey
Function to generate a random passwordFunction Generate-RandomPassword {
$PasswordLength = 18
$PasswordChars = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz23456789#!-._?,"
$RandomPassword = ''
For ($i = 0; $i -lt $PasswordLength; $i++) {
$RandomPassword += $PasswordChars[(Get-Random -Maximum $PasswordChars.Length)]
}
return $RandomPassword
}
$agent = Get-AteraAgent
Process for Default Administrator Account$DefaultAdminAccount = ADSI
$NewPasswordDefaultAdmin = Generate-RandomPassword
$DefaultAdminAccount.psbase.Invoke("SetPassword", $NewPasswordDefaultAdmin)
$DefaultAdminAccount.psbase.InvokeSet('AccountDisabled', $true)
$DefaultAdminAccount.psbase.CommitChanges()
Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameAdmin -Value $NewPasswordDefaultAdmin
try {
$exists = [ADSI]::Exists("WinNT://./$LocalAdminUser,user")
}
catch {
$exists = $false
}
$LocalAdminAccount = ADSI
if (-not ($exists)) {
$NewLocalAdminAccount = ADSI
$NewUser = $NewLocalAdminAccount.Create("User", $LocalAdminUser)
$PasswordNewUser = Generate-RandomPassword
$NewUser.SetPassword($PasswordNewUser)
$NewUser.SetInfo()
$NewUser.psbase.InvokeSet('AccountDisabled', $false)
$NewUser.SetInfo()
$NewUser.psbase.CommitChanges()
# Add to Administrators group
$AdminGroup = ADSI
$AdminGroup.Add("WinNT://$LocalAdminUser,user")
}
$NewPasswordLocalAdmin = Generate-RandomPassword
$LocalAdminAccount.psbase.Invoke("SetPassword", $NewPasswordLocalAdmin)
$LocalAdminAccount.psbase.InvokeSet('AccountDisabled', $false)
$LocalAdminAccount.psbase.CommitChanges()
Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameLocalAdmin -Value $NewPasswordLocalAdmin
Optionally, add steps here for logging or notificationWrite-Output "Administrator and admin_lokal accounts processed."
Comments
-
is this a working script or a script in progress? could you post it as code?
0 -
Hello KaMIT,
the script works, we have used it on several clients.
What do you mean? You can create a new .ps1 script and copy the text into the editor.
0 -
I think he means as a code block to preserve the formatting.
I have submitted a number of scripts to the share, but none have been approved yet (not LAPS though).
Agreed that it would be really nice to not have to duplicate and generalize the script so we could share it.0 -
CLS ######### https://community.atera.com/discussion/323/microsoft-laps ######### Thanks to Robert Mueller $AteraAPIKey = '0123456789' $CustomFieldNameAdminUN = 'LAPS Username'
$CustomFieldNameAdminPW = 'LAPS Password'
$LocalAdminUser = 'LOCALadmin'
$DefaultAdminUser = 'Administrator' Install nuget Set-ExecutionPolicy Bypass -Scope Process -Force
Install-PackageProvider NuGet -Force
Import-PackageProvider NuGet -Force Install and load the right version of Atera module if (!(Get-Module -ListAvailable -Name PSAtera)) {
Install-Module -Name PSAtera -MinimumVersion 1.3.1 -Force
}
Import-Module -Name PSAtera -MinimumVersion 1.3.1 Set Atera API Key Set-AteraAPIKey -APIKey $AteraAPIKey #Function to generate a random password Function Generate-RandomPassword {
$PasswordLength = 10
$PasswordChars = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz23456789#!-._?,"
$RandomPassword = ''
For ($i = 0; $i -lt $PasswordLength; $i++) {
$RandomPassword += $PasswordChars[(Get-Random -Maximum $PasswordChars.Length)]
}
return $RandomPassword
} #Get the agent information for the PC that's running the script $agent = Get-AteraAgent #Process for Default Administrator Account $DefaultAdminAccount = [ADSI]"WinNT://./$DefaultAdminUser,user"
$NewPasswordDefaultAdmin = Generate-RandomPassword
$DefaultAdminAccount.PSBase.Invoke("SetPassword", $NewPasswordDefaultAdmin)
$DefaultAdminAccount.PSBase.InvokeSet('AccountDisabled', $true)
$DefaultAdminAccount.PSBase.CommitChanges()
try {
$exists = [ADSI]::Exists("WinNT://./$LocalAdminUser,user")
}
catch {
$exists = $false
} #Check if local admin_local account exists, if not, create it $LocalAdminAccount = [ADSI]"WinNT://./$LocalAdminUser,user"
if (-not $exists) {
$NewLocalAdminAccount = [ADSI]"WinNT://.,computer"
$NewUser = $NewLocalAdminAccount.Create("User", $LocalAdminUser)
$PasswordNewUser = Generate-RandomPassword
$NewUser.SetPassword($PasswordNewUser)
$NewUser.SetInfo()
$NewUser.PSBase.InvokeSet('AccountDisabled', $false)
$NewUser.SetInfo()
$NewUser.PSBase.CommitChanges() # Add user to Administrators group using net localgroup
$addToGroupResult = net localgroup Administrators /add $LocalAdminUser
if ($addToGroupResult -match "The command completed successfully.") {
Write-Output "Successfully added $LocalAdminUser to Administrators group."
} else {
Write-Output "Failed to add $LocalAdminUser to Administrators group. Output: $addToGroupResult"
} } #Set random password for local admin account $NewPasswordLocalAdmin = Generate-RandomPassword
$LocalAdminAccount.PSBase.Invoke("SetPassword", $NewPasswordLocalAdmin)
$LocalAdminAccount.PSBase.InvokeSet('AccountDisabled', $false)
$LocalAdminAccount.PSBase.CommitChanges() #Update the custom field in Atera for local admin_local account Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameAdminUN -Value $LocalAdminUser
Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameAdminPW -Value $NewPasswordLocalAdmin #Optionally, add steps here for logging or notification Write-Output "Administrator and $LocalAdminUser accounts processed."
Thanks @robert.muellerI took the code and tweaked it a bit via ChatGPT, pasted it back here (pasting it lost some of the powershell syntax such as some "#" but I hope it is ok!)
This script expects that your agents have the custom fields "LAPS Username' and 'LAPS Password'
I had a nightmare getting powershell to recognise that the user existed and could be added to the group so dumbed it down to use "net groups" command instead
Also this Atera code box formatting is whack !1 -
Hello again,
the script does not seem to update the custom fields in Atera anymore. The users and passwords are set on the client, and the script output does not give any error.
Has something changed?
0 -
Apologies @robert.mueller I don't often visit these pages so have only recently seen your reply.
The script is working for me here still creating/updating passwords and also updating the Atera console with the new detail.
If you are still having problems we can liaise directly to see if any information I can provide helps to resolve it.
0
Topics
- All Topics
- 40 Getting started
- 24 Read before posting
- 8 Meet and greet
- 220 General
- 59 News and announcements
- Swag
- 1 Roadmap updates
- 68 Resources
- 9 Knowledge Base
- 13 Webinars
- 1 Shared Script Library
- 2 Blog
- 15 Pro Tips
- 26 Got an idea?
- 1 Atera Academy
- 1 ActionAI
- 1 Copilot
- 125 Remote Monitoring and Management
- 78 Remote Monitoring
- 24 Patch Management
- 98 Professional Services Automation
- 61 Helpdesk
- 17 Billing
- 18 Reporting
- 34 Integrations & add-ons
- 20 Integrations
- 10 Add-ons
- 100 Scripting and automations
- 59 Scripts
- 29 Automations