LAPS password retrieval activity can be logged via directory service advanced auditing, specifically event ID 4662, after configuring the appropriate GPO and SACLs.
Scenario: a user with adequate permissions to retrieve the LAPS password for a computer account (“ARDENVALE” in this example) does so using PowerShell
To find the corresponding object access events, first resolve the LAPS AD property to its corresponding schema GUID
Then query for 4662 events containing that GUID
Create your profile
Only paid subscribers can comment on this post
Check your email
For your security, we need to re-authenticate you.
Click the link we sent to , or click here to sign in.