When Active Directory (AD) becomes unavailable due to corruption, attack, or accidental deletion, gaining access to domain-joined machines can become a critical challenge, especially in environments that rely on Windows LAPS to manage local admin credentials.
This article walks through a practical and secure way to recover LAPS-managed passwords from an offline AD backup. This method allows IT administrators to regain access to domain-joined machines even in the worst-case scenario of Active Directory failure.
Scenario
You’re in a situation where:
- Active Directory is completely down or corrupted.
- Domain user logons are no longer possible.
- You need local administrator access to a machine joined to the domain.
- You were using Windows LAPS to randomize and manage local administrator passwords centrally in AD.
Fortunately, if you have a backup of your domain controller, you can recover the password securely using dsamain.exe and PowerShell.
Requirements
To perform this recovery, you’ll need the following:
- A backup of the
ntdsdatabase file from a domain controller. - The matching SYSTEM registry hive file from the same machine.
- A workstation with RSAT tools installed or a domain controller itself.
- PowerShell 7 or late
- The LAPS PowerShell module available on your machine.
Step 1 – Launch a Temporary LDAP Instance from the Offline Backup
Use dsamain.exe to mount the offline Active Directory database and expose it through a non-standard LDAP port. This avoids interfering with any live AD services.
Example command:
dsamain.exe -dbpath "C:\adbackup\Active Directory\ntds.dit" -ldapPort 50000
Explanation:
dbpathspecifies the path to the backed-up AD database.ldapPortopens the database on port50000(or any unused port of your choice).
The command should return:
The operation completed successfully.
You can now query the AD backup as if it were live, using the port you defined.
Step 2 – Recover the LAPS Password Using PowerShell
Now that the LDAP server is listening on port 50000, use PowerShell to retrieve the LAPS-managed local administrator password.
Here’s how:
Get-LapsADPassword -Identity "ComputerName" -Port 50000 -RecoveryMode -AsPlainText
Replace "ComputerName" with the name of the machine you’re trying to recover.
Example output:
ComputerName : WSLIENT
Account : LocalAdmin398960
Password : BalancingFifteenIvanaBuffaloTuesdayBoilerAsparagusJersey
PasswordUpdateTime : 4/3/2025 1:18:19 AM
ExpirationTimestamp : 4/3/2025 1:18:19 AM
You can now use this password to log in to the local administrator account on the target machine — even without domain connectivity.
Step 3 – Secure the Process
Since this process involves direct access to AD secrets, ensure that:
- Access to the
ntds.ditand SYSTEM hive is restricted to domain admins or backup operators. - The PowerShell session used for password recovery is secure and ideally not internet-connected.
- Logs are generated and stored if required by policy
- You shut down the temporary LDAP server once the password is retrieved.
To stop the temporary LDAP instance, simply close the dsamain.exe console window.
Retrieve Multiple Passwords
You can automate this process to retrieve multiple passwords from the same mounted LDAP instance using a loop or CSV list:
$computers = @("PC001", "PC002", "PC003")
foreach ($comp in $computers) {
Get-LapsADPassword -Identity $comp -Port 50000 -RecoveryMode -AsPlainText
}
You may optionally export the results to a secure encrypted file or Vault, depending on your disaster recovery plan.
Conclusion
Windows LAPS offers excellent security and automation for local admin password management. But in critical scenarios like an AD failure, having a recovery plan is essential. With access to a backup of the AD database and the correct tools, administrators can safely retrieve LAPS-managed passwords and maintain operational continuity, even when the directory is offline.
Implementing and regularly testing this recovery process should be part of any organization's disaster recovery strategy.