LAPS – Create credential object

Why

In all environments that I manage I have deployed LAPS. I’ve already covered what is LAPS and how to deploy it with ease here.

Now, when I need to connect to remote machines I don’t need to assign my regular or admin account local administrator privileges. I can just use LAPS. Why? If my account has no direct access or privileges on other machines it can’t be easily exploited (think malware, ransomware). This does not protect you in all cases (determined, skilled adversary) but surely adds another layer of protection in your environment.

How

The idea to use that in daily tasks is simple. Assign permissions to query AD for computer password to my admin account. Use that account to retrieve password for specific machine. Create credential object and use it to connect to remote machine. Fairly simple tasks which is repeatable. A great opportunity to create a function for it.

The working code looks something like this:

Let’s put it into function for better use:

Now it’s a matter of:

Clean and easy!

P.S. If you’d like to get al. Computers that already have passwords (and you have permissions to read them), then this might help:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s