jborean93 · March 25, 2025 07:39 · PrzemyslawKlys · Mar 25, 2025 · jborean93 · Mar 25, 2025
diff --git a/Get-LapsADUpdateTime.ps1 b/Get-LapsADUpdateTime.ps1
 # Copyright: (c) 2025, Jordan Borean (@jborean93) <[email protected]>
 # MIT License (see LICENSE or https://opensource.org/licenses/MIT)

 Function Get-LapsADUpdateTime {
    <#
    .SYNOPSIS
    Gets the Windows LAPS Update Time.

    .DESCRIPTION
    Gets the Windows LAPS Update Time for the specified computer account. The output value is a DateTime object representing the update time as a UTC date time.

    .PARAMETER Identity
    The computer account identity to get the LAPS update time for.

    .EXAMPLE
    Get-LapsADUpdateTime -Identity foo

    .NOTES
    To convert the DateTime to the local time you can use the ToLocalTime() method on the output object.

        $updateTime = Get-LapsADUpdateTime -Identity foo
        $updateTime.ToLocalTime()
    #>
    [OutputType([DateTime])]
    [CmdletBinding()]
    param (
        [Parameter(Mandatory, ValueFromPipeline)]
        [string[]]
        $Identity
    )

    process {
        foreach ($id in $Identity) {
            Write-Verbose "Attempting to get ADComputer for '$id'"
            try {
                $compInfo = Get-ADComputer $id -Properties msLAPS-Password, msLAPS-EncryptedPassword, msLAPS-EncryptedDSRMPassword
            }
            catch {
                $PSCmdlet.WriteError($_)
                continue
            }

            $encBlob = $blob = $null
            if ($compInfo.'msLAPS-EncryptedPassword') {
                $encBlob = $compInfo.'msLAPS-EncryptedPassword'
            }
            elseif ($compInfo.'msLAPS-EncryptedDSRMPassword') {
                $encBlob = $compInfo.'msLAPS-EncryptedDSRMPassword'
            }
            elseif ($compInfo.'msLAPS-Password') {
                $blob = $compInfo.'msLAPS-Password'
            }

            if ($encBlob) {
                Write-Verbose "Getting timestamp from encrypted blob $([Convert]::ToBase64String($encBlob, 0, 8))"
                $timeStampUpper = [int64][BitConverter]::ToUInt32($encBlob, 0)
                $timeStampLower = [int64][BitConverter]::ToUInt32($encBlob, 4)
                $updateFileTime = ($timeStampUpper -shl 32) -bor $timeStampLower
            }
            elseif ($blob) {
                Write-Verbose "Getting timestamp from JSON blob '$blob'"
                $t = (ConvertFrom-Json -InputObject $blob).t
                $updateFileTime = [Convert]::ToInt64($t, 16)
            }
            else {
                $err = [System.Management.Automation.ErrorRecord]::new(
                    [Exception]::new("Failed to find LAPS attribute for $id"),
                    'NoLAPSAttribute',
                    'ObjectNotFound',
                    $id)
                $PSCmdlet.WriteError($err)
                continue
            }

            Write-Verbose "Converting raw FILETIME $updateFileTime to DateTime object"
            [DateTime]::FromFileTimeUtc($updateFileTime)
        }
    }
 }
	# Copyright: (c) 2025, Jordan Borean (@jborean93) <[email protected]>
	# MIT License (see LICENSE or https://opensource.org/licenses/MIT)

	Function Get-LapsADUpdateTime {
	<#
	.SYNOPSIS
	Gets the Windows LAPS Update Time.

	.DESCRIPTION
	Gets the Windows LAPS Update Time for the specified computer account. The output value is a DateTime object representing the update time as a UTC date time.

	.PARAMETER Identity
	The computer account identity to get the LAPS update time for.

	.EXAMPLE
	Get-LapsADUpdateTime -Identity foo

	.NOTES
	To convert the DateTime to the local time you can use the ToLocalTime() method on the output object.

	$updateTime = Get-LapsADUpdateTime -Identity foo
	$updateTime.ToLocalTime()
	#>
	[OutputType([DateTime])]
	[CmdletBinding()]
	param (
	[Parameter(Mandatory, ValueFromPipeline)]
	[string[]]
	$Identity
	)

	process {
	foreach ($id in $Identity) {
	Write-Verbose "Attempting to get ADComputer for '$id'"
	try {
	$compInfo = Get-ADComputer $id -Properties msLAPS-Password, msLAPS-EncryptedPassword, msLAPS-EncryptedDSRMPassword
	}
	catch {
	$PSCmdlet.WriteError($_)
	continue
	}

	$encBlob = $blob = $null
	if ($compInfo.'msLAPS-EncryptedPassword') {
	$encBlob = $compInfo.'msLAPS-EncryptedPassword'
	}
	elseif ($compInfo.'msLAPS-EncryptedDSRMPassword') {
	$encBlob = $compInfo.'msLAPS-EncryptedDSRMPassword'
	}
	elseif ($compInfo.'msLAPS-Password') {
	$blob = $compInfo.'msLAPS-Password'
	}

	if ($encBlob) {
	Write-Verbose "Getting timestamp from encrypted blob $([Convert]::ToBase64String($encBlob, 0, 8))"
	$timeStampUpper = [int64][BitConverter]::ToUInt32($encBlob, 0)
	$timeStampLower = [int64][BitConverter]::ToUInt32($encBlob, 4)
	$updateFileTime = ($timeStampUpper -shl 32) -bor $timeStampLower
	}
	elseif ($blob) {
	Write-Verbose "Getting timestamp from JSON blob '$blob'"
	$t = (ConvertFrom-Json -InputObject $blob).t
	$updateFileTime = [Convert]::ToInt64($t, 16)
	}
	else {
	$err = [System.Management.Automation.ErrorRecord]::new(
	[Exception]::new("Failed to find LAPS attribute for $id"),
	'NoLAPSAttribute',
	'ObjectNotFound',
	$id)
	$PSCmdlet.WriteError($err)
	continue
	}

	Write-Verbose "Converting raw FILETIME $updateFileTime to DateTime object"
	[DateTime]::FromFileTimeUtc($updateFileTime)
	}
	}
	}