C# LAPS mslaps-encryptedpassword decryption

Question

I was wondering if there was an official C# way to get the LAPS password from mslaps-encryptedpassword attribute decrypted using C#?

I know you can use the below powershell module to get the password, but I am having trouble finding documentation on how to do it in C#.

Powershell:

Get-LapsADPassword -Identity COMPUTERNAME -AsPlainText

from lapspsh.dll

I can get the value in C#, but I am unsure how to decrypt it. Looking to do this natively in C# without invoking PowerShell script/module.

Edit: msLAPS-Password (cleartext password) is not set in the new April 2023 implementation of LAPS if you choose to encrypt the password

Answer 1

According to Microsoft's Windows LAPS schema extensions reference, you can get the unencrypted password from the msLAPS-Password attribute:

msLAPS-Password

This attribute contains a Unicode string that specifies the clear-text version of the current password and other information.

The data that's stored in this attribute is a JSON string that contains multiple name-value pairs. For example:

{"n":"Administrator","t":"1d8161b41c41cde","p":"A6a3#7%eb!57be4a4B95Z43394ba956de69e5d8975#$8a6d)4f82da6ad500HGx"}

Each name-value pair in the JSON string has a specific meaning:

Name	Value
"n"	Contains the name of the managed local administrator account
"t"	Contains the UTC password update time represented as a 64-bit hexadecimal number
"p"	Contains the clear-text password