Why

In all environments that I manage I have deployed LAPS. I’ve already covered what is LAPS and how to deploy it with ease here.

Now, when I need to connect to remote machines I don’t need to assign my regular or admin account local administrator privileges. I can just use LAPS. Why? If my account has no direct access or privileges on other machines it can’t be easily exploited (think malware, ransomware). This does not protect you in all cases (determined, skilled adversary) but surely adds another layer of protection in your environment.

How

The idea to use that in daily tasks is simple:

• Assign permissions to query AD for computer password to my admin account
• Use that account to retrieve password for specific machine
• Create credential object and use it to connect to remote machine.

Fairly simple tasks which is repeatable. A great opportunity to create a function for it. The working code looks something like this:

Let’s put it into function for better use:

Now it’s a matter of:

Clean and easy!

P.S. If you’d like to get a list of all computers that already have passwords (and you have permissions to read them), then this might help: