11/27/2018 142 views

We are using Microsoft LAPS to manage the local administrator's passwords.  Works great but I would like a way to get this info in the computer inventory as a custom inventory value.

I created a PowerShell script that can be run from the local computer and works very well when run as a user that has been granted the rights to access the extended attributes in Active Directory:

C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe "Import-Module ActiveDirectory ; Get-ADComputer -Identity %COMPUTERNAME% -Properties * | Select ms-Mcs-AdmPwd |ft -hide"

My issue is when the custom inventory rule runs on the local computer by the KACE agent it is running under the System account.  The local system has the ability to update the value in AD, but not read it back so the following Customer Inventory Rule returns blank text

ShellCommandTextReturn(c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe "Import-Module ActiveDirectory ; Get-ADComputer -Identity %COMPUTERNAME% -Properties * | Select ms-Mcs-AdmPwd |ft -hide")

I would like to get this data associated with the computer inventory somehow and it has to be run as a specific user account.  Any ideas?

0 Comments   [ + ] Show comments


All Answers

You have a few options to get the informations you want.
1. (my preferred one) Create a KACE Script which runs as the user in need and creates a text file with the results. Use the CIR to read out the file
2. use runas

With 2. you need to use a cleartext password, so I do not prefer this option.
Answered 11/27/2018 by: Nico_K
Red Belt

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login