From Rob Fuller comes this article on dumping LAPS passwords using ldapsearch. LAPS is a Microsoft solution to manage and randomize local admin passwords on member systems. To do so, these passwords are stored in AD. For old, non-updated LAPS implementations, a user can just read these. Current installations require an extra permission. These permissions usually mean that abusing LAPS is a “win more” type of situation (i.e. you already pwn the domain, so now you can pwn more). But, there may be situations where some users who are not full admins in AD do administrate systems enough to have this access (maybe help desk persons or departmental admins). Also, it’s worth noting this weakness as part of knowing your risk when handing out privilege accounts. For instance, Sam may be given a privileged account, but keep in mind that Sam probably also now has access to read local admin passwords, which may or may not have been knowingly intended. Similarly, any account that has this access that is disclosed/cracked means all these passwords should be changed as well.