Microsoft LAPS

Hi,

we are a new Atera customer and wondered, that we did not find anything about LAPS in the forum or script library.

BTW: it would be helpful to share scripts where you can define variables for critical information. Like the API key. So that the key is not written in plain in the script and only referring to the on in our tenant. Otherwise, we need to make a copy of the script without the API key and then share it…

The following script contains some german terms which need to be changed in an english environment (like Administratoren / Administrators…). The part with the second admin account (admin_lokal) is optional. The script changes the passwords and writes them to the corresponding custom fields in Atera.

Advantages to Microsoft LAPS: You don't have to look up the passwords in AD and this works completely without AD. No changes at the scheme necessary.

Script:

$AteraAPIKey = 'xyz'
$CustomFieldNameAdmin = 'LAPS Administrator'
$CustomFieldNameLocalAdmin = 'LAPS admin_lokal'
$LocalAdminUser = 'admin_lokal'
$DefaultAdminUser = 'Administrator'

Install nuget

Set-ExecutionPolicy Bypass -Scope Process -Force;
Install-PackageProvider NuGet -Force
Import-PackageProvider NuGet -Force

Install and load the right version of Atera module

if (!(Get-Module -ListAvailable -Name PSAtera)) {
Install-Module -Name PSAtera -MinimumVersion 1.3.1 -Force
}
Import-Module -Name PSAtera -MinimumVersion 1.3.1

Set Atera API Key

Set-AteraAPIKey -APIKey $AteraAPIKey

Function to generate a random password

Function Generate-RandomPassword {
$PasswordLength = 18
$PasswordChars = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz23456789#!-._?,"
$RandomPassword = ''
For ($i = 0; $i -lt $PasswordLength; $i++) {
$RandomPassword += $PasswordChars[(Get-Random -Maximum $PasswordChars.Length)]
}
return $RandomPassword
}

Get the agent information for the PC that's running the script

$agent = Get-AteraAgent

Process for Default Administrator Account

$DefaultAdminAccount = ADSI
$NewPasswordDefaultAdmin = Generate-RandomPassword
$DefaultAdminAccount.psbase.Invoke("SetPassword", $NewPasswordDefaultAdmin)
$DefaultAdminAccount.psbase.InvokeSet('AccountDisabled', $true)
$DefaultAdminAccount.psbase.CommitChanges()
Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameAdmin -Value $NewPasswordDefaultAdmin

try {
$exists = [ADSI]::Exists("WinNT://./$LocalAdminUser,user")
}
catch {
$exists = $false
}

Check if local admin_lokal account exists, if not, create it

$LocalAdminAccount = ADSI
if (-not ($exists)) {
$NewLocalAdminAccount = ADSI
$NewUser = $NewLocalAdminAccount.Create("User", $LocalAdminUser)
$PasswordNewUser = Generate-RandomPassword
$NewUser.SetPassword($PasswordNewUser)
$NewUser.SetInfo()
$NewUser.psbase.InvokeSet('AccountDisabled', $false)
$NewUser.SetInfo()
$NewUser.psbase.CommitChanges()
# Add to Administrators group
$AdminGroup = ADSI
$AdminGroup.Add("WinNT://$LocalAdminUser,user")
}

Set random password for local admin_lokal account

$NewPasswordLocalAdmin = Generate-RandomPassword
$LocalAdminAccount.psbase.Invoke("SetPassword", $NewPasswordLocalAdmin)
$LocalAdminAccount.psbase.InvokeSet('AccountDisabled', $false)
$LocalAdminAccount.psbase.CommitChanges()

Update the custom field in Atera for local admin_lokal account

Set-AteraCustomValue -ObjectType Agent -ObjectId $agent.AgentID -FieldName $CustomFieldNameLocalAdmin -Value $NewPasswordLocalAdmin

Optionally, add steps here for logging or notification

Write-Output "Administrator and admin_lokal accounts processed."