Using -DecryptionCredential as parameter for the Get-LapsADPassword cmdlet
Hi,
We have started to "play" with Windows Laps as a replacement for Microsoft LAPS. We have enabled encrypted password and signed a serviceaccount as AuthorizedDecryptor. The service account as been signed the proper permissions according to the instructions for Windows LAPS (using the cmdlets for assigning permission)
and if we run powershell with Run as (and state the serviceaccount and password) we can retrieve the Windows Laps password by running the command:
Get-LapsADPassword - Identity Computername -AsPlainText.
When running the powershell command in another user context and then use PSCredentials containing the serviceaccount credentials($credobject):
Get-LapsADPassword -Identity $identity -AsPlainText -Credential $credObject
It accepts the content of $credobject as parameter for -Credential showing the computername, AD location, Passwordupdatetime, expirationtimestamp, source, decryptionstatus (Unauthorized) and the name of the AuthorizedDecryptor account.
When adding -DecryptionCredential $credObject to the commandline
the cmdlet returns
Get-LapsADPassword : Authentication failed with the supplied decryption credentials
So has anyone been able to put a script together that use the -DecryptionCredential parameter that works.
We like to believe that we read the instructions and did the required setup, but then again we might have missed something obviously.
Kind Regards,
Jakob