29. LAPS Check Tools

C:\Program Files (x86)\OVERLAPS\lapscheck.exe
C:\Program Files (x86)\OVERLAPS\lapscheck_system.exe

This tool is useful for diagnosing problems if OVERLAPS is unable to read the LAPS password properties from Active Directory.

When passed the Distinguished Name of an Organizational Unit or Computer, the tool will check:

  1. That it can find and read the object in Active Directory
  2. That the LAPS schema extensions are present
  3. What users have read and/or write permission to the LAPS properties
  4. And finally, if it is a computer, it will attempt to read the LAPS password and expiry date.

The tool can be run as the current user, passed a username and password, or you can run “lapscheck_system.exe” which will attempt to run the query as the NT AUTHORITY\SYSTEM account, so the same permissions as OVERLAPS uses by default.

29.1 Command Line Arguments

29.1.1 Required Arguments

The distinguished name of an Organizational Unit or computer is required as the first parameter.

29.1.2 Optional Arguments

/user:<username> Specify the user account to run the test as.
/password:<password> The password for the account specified by “/user”.
/out:<filename.log> Output the results of the test to a log file.
/append If using “/out”, this will append the test data to the log file instead of overwriting it.

29.2 Examples

lapscheck.exe "OU=Laptops,OU=Endpoints,DC=contoso,DC=com"

Checks the permissions and configuration of the "Laptops" OU.

lapscheck_system.exe "CN=DevLaptop,OU=Laptops,OU=Endpoints,DC=contoso,DC=com"

Checks the permissions and configuration of a specific laptop, this time using the Local System account.