LAPS password retrieval activity can be logged via directory service advanced auditing, specifically event ID 4662, after configuring the appropriate GPO and SACLs.
Scenario: a user with adequate permissions to retrieve the LAPS password for a computer account (“ARDENVALE” in this example) does so using PowerShell
To find the corresponding object access events, first resolve the LAPS AD property to its corresponding schema GUID
Then query for 4662 events containing that GUID
