I'm really struggling with Windows LAPS auditing right now. From what I've found, it seems almost unusable. The only event ID for auditing is 4662, which logs any operation performed on an Active Directory object, but it gets tricky because this event logs every single time anyone opens a computer object in Active Directory Users and Computers (ADUC), regardless of whether they actually look at a LAPS password. Since LAPS attributes are all eagerly loaded, it makes it impossible to tell who is actually viewing or decrypting LAPS passwords. I'm hoping someone has some advice or has found a better way to handle this situation. Thanks!
4 Answers
You're spot on with your frustration. Microsoft does expect you to have their E5 license for better options like PIM. However, a workaround is using Intune to enforce a policy that disables the local admin account. This not only helps with security but also rakes in some points with Microsoft! In our setup, we add devices to an exempt group for those needing the LAPS password, and that addition is logged well. It sounds like a roundabout way to track access to LAPS passwords, but it helps in our case where the passwords often don't hold much value without the local admin account being active.
You’re correct about the logging with Event 4662 when the ms-Mcs-AdmPwd attribute is accessed. You'll need to look up the corresponding schemaIDGUID in ADSI Edit to make sense of your logs. But if what you're seeking is more detailed user access tracking, that might hint at needing a dedicated PAM solution instead.
Not directly related to your issue, but you might want to check out this link: https://int64software.com/overlaps/docs/. It could provide some useful insights or workarounds for your LAPS setup!
I’ve been looking into this too! ManageEngine ADAudit Plus has some new features for auditing LAPS, and from what I’ve seen, it seems to provide clearer logs. I’m not sure if it handles the backend differently, but it might be worth investigating for better visibility on LAPS activities.
Exactly! For the robust auditing you need, a proper Privileged Access Management (PAM) solution could be the way to go.