Daily Archives: 7 November, 2016

Recover LAPS passwords from deleted objects and delegate recovery admins

I got a question about LAPS and deleted Computer objects.
What happens if a Computer is disjoined from the domain or if the object is deleted, how do we recover the LAPS password?
And for how long can we recover the LAPS password? (if we don’t look at the backups you should have).

Computer is disjoined:

If you configure the client to join another Domain or a Workgroup the Computer object isn’t deleted in the Active Directory database. At most the computer account is disabled. No problems retrieving the password there.

Computer Object is deleted in the Active Directory database: Continue reading

Where the adminCount doesn’t count and the SD isn’t what you thought.

This is a short follow-up on my earlier blog entry on the AdminSDHolder.
As stated earlier the AdminSDHolder process that runs as a background task on the Domain Controller acting as PDC Emulator sets the Security Descriptor of Protected Admin Groups.

The thing I wanted to revisit is when the adminCount attribute and Security Descriptor isn’t set on objects. Continue reading