Microsoft LAPS
Hi,
we are a new Atera customer and wondered, that we did not find anything about LAPS in the forum or script library.
BTW: it would be helpful to share scripts where you can define variables for critical information. Like the API key. So that the key is not written in plain in the script and only referring to the on in our tenant. Otherwise, we need to make a copy of the script without the API key and then share it…
The following script contains some german terms which need to be changed in an english environment (like Administratoren / Administrators…). The part with the second admin account (admin_lokal) is optional. The script changes the passwords and writes them to the corresponding custom fields in Atera.
Advantages to Microsoft LAPS: You don't have to look up the passwords in AD and this works completely without AD. No changes at the scheme necessary.
Script:
$AteraAPIKey = 'xyz'
$CustomFieldNameAdmin = 'LAPS Administrator'
$CustomFieldNameLocalAdmin = 'LAPS admin_lokal'
$LocalAdminUser = 'admin_lokal'
$DefaultAdminUser = 'Administrator'
Set-ExecutionPolicy Bypass -Scope Process -Force;
Install-PackageProvider NuGet -Force
Import-PackageProvider NuGet -Force
if (!(Get-Module -ListAvailable -Name PSAtera)) {
Install-Module -Name PSAtera -MinimumVersion 1.3.1 -Force
}
Import-Module -Name PSAtera -MinimumVersion 1.3.1
Set-AteraAPIKey -APIKey $AteraAPIKey
Function to generate a random passwordFunction Generate-RandomPassword {
$PasswordLength = 18
$PasswordChars = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz23456789#!-._?,"
$RandomPassword = ''
For ($i = 0; $i -lt $PasswordLength; $i++) {
$RandomPassword += $PasswordChars[(Get-Random -Maximum $PasswordChars.Length)]
}
return $RandomPassword
}
$agent = Get-AteraAgent
Process for Default Administrator Account$DefaultAdminAccount = ADSI
$NewPasswordDefaultAdmin = Generate-RandomPassword
$DefaultAdminAccount.psbase.Invoke("SetPassword", $NewPasswordDefaultAdmin)
$DefaultAdminAccount.psbase.InvokeSet('AccountDisabled', $true)
$DefaultAdminAccount.psbase.CommitChanges()
Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameAdmin -Value $NewPasswordDefaultAdmin
try {
$exists = [ADSI]::Exists("WinNT://./$LocalAdminUser,user")
}
catch {
$exists = $false
}
$LocalAdminAccount = ADSI
if (-not ($exists)) {
$NewLocalAdminAccount = ADSI
$NewUser = $NewLocalAdminAccount.Create("User", $LocalAdminUser)
$PasswordNewUser = Generate-RandomPassword
$NewUser.SetPassword($PasswordNewUser)
$NewUser.SetInfo()
$NewUser.psbase.InvokeSet('AccountDisabled', $false)
$NewUser.SetInfo()
$NewUser.psbase.CommitChanges()
# Add to Administrators group
$AdminGroup = ADSI
$AdminGroup.Add("WinNT://$LocalAdminUser,user")
}
$NewPasswordLocalAdmin = Generate-RandomPassword
$LocalAdminAccount.psbase.Invoke("SetPassword", $NewPasswordLocalAdmin)
$LocalAdminAccount.psbase.InvokeSet('AccountDisabled', $false)
$LocalAdminAccount.psbase.CommitChanges()
Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameLocalAdmin -Value $NewPasswordLocalAdmin
Optionally, add steps here for logging or notificationWrite-Output "Administrator and admin_lokal accounts processed."
Comments
-
is this a working script or a script in progress? could you post it as code?
0 -
Hello KaMIT,
the script works, we have used it on several clients.
What do you mean? You can create a new .ps1 script and copy the text into the editor.
0 -
I think he means as a code block to preserve the formatting.
I have submitted a number of scripts to the share, but none have been approved yet (not LAPS though).
Agreed that it would be really nice to not have to duplicate and generalize the script so we could share it.0
Topics
- All Topics
- 31 Getting started
- 20 Read before posting
- 7 Meet and greet
- 156 General
- 42 News and announcements
- 40 Resources
- 7 Knowledge Base
- 7 Webinars
- 1 Shared Script Library
- Blog
- 4 Pro Tips
- 21 Got an idea?
- 93 Remote Monitoring and Management
- 67 Remote Monitoring
- 18 Patch Management
- 64 Professional Services Automation
- 42 Helpdesk
- 7 Billing
- 14 Reporting
- 25 Integrations & add-ons
- 16 Integrations
- 6 Add-ons
- 69 Scripting and automations
- 43 Scripts
- 22 Automations