Misc: LAPS Password Retrieval Logs via DS Access

LAPS password retrieval activity can be logged via directory service advanced auditing, specifically event ID 4662, after configuring the appropriate GPO and SACLs.

Scenario: a user with adequate permissions to retrieve the LAPS password for a computer account (“ARDENVALE” in this example) does so using PowerShell

retrieve LAPS password

To find the corresponding object access events, first resolve the LAPS AD property to its corresponding schema GUID

based on https://stackoverflow.com/a/51326601

Then query for 4662 events containing that GUID

example query using Elastic