It is a good idea to review your companys Microsoft's Local Administrator Password Solution LAPS installation. Leo Loobeek published a nice powershell-script which helps in finding groups which are specifically delegated by sysadmins and finding users with
"All Extended Rights" that can view passwords, and viewing all computers
with LAPS enabled.
https://github.com/leoloobeek/LAPSToolkit
https://github.com/leoloobeek/LAPSToolkit/blob/master/LAPSToolkit.ps1
Get-LAPSComputers
Displays all computers with LAPS enabled, password expriation, and password if user has access
Find-LAPSDelegatedGroups
Searches through all OUs to see which AD groups can read the ms-Mcs-AdmPwd attribute
Find-AdmPwdExtendedRights
Parses through ExtendedRights for each AD computer with
LAPS enabled and looks for which group has read access and if any user
has "All Extended Rights". Sysadmins may not be aware the users with All
Extended Rights can view passwords and may be less protected than the
users in the delegated groups. An example is the user which adds a
computer to the domain automatically receives the "All Extended Rights"
permission. Since this function will parse ACLs for each AD computer,
this can take very long with a larger domain.
I've seen installations, where LAPS was implemented to improve security. However due to wrong configuration way to many people where able to read passwords in Active Directory (
Mitre Att&ck Tactic Credential Access)
