How to identify changes in LAPS?

Local Administrator Password Solution (LAPS) acts as a central repository of local administrators' passwords in Active Directory. Continuously monitoring and auditing changes in LAPS is essential to track who is viewing and modifying the local administrators' credentials. This can help detect anomalous behavior exhibited by insiders and accelerate forensic analysis in case of a mishap.

Track changes in LAPS Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

How to track changes in LAPS with ADAudit Plus

  • Once ADAudit Plus has been installed, it automatically configures audit policies required for Active Directory auditing.

  • To enable automatic configuration: Log in to the ADAudit Plus web console → Domain Settings → Audit Policy: Configure.

  • Changes in LAPS can be identified by following the below mentioned steps:

    1. Login to ADAudit Plus

    2. Select the required Domain from the dropdown list

    3. Go to the Reports tab

    4. Navigate to LAPS Audit

    5. Select LAPS Password Read

  • The following are some of the details you can get in this report:

    1. Object Name - Name of the computer object

    2. Modified time - The time at which the LAPS attribute has been modified

    3. Who Changed - Name of the user who made the change

    4. Domain Controller - Name of domain controller

    5. Message - Explains the LAPS modification in verbose format

    6. Modified attributes - Indicates the LAPS attribute that has been altered

    7. Remarks - States the type of access that has been made

  • LAPS password expiry changes can be tracked by following the below mentioned steps:

    1. Login to ADAudit Plus.

    2. Select the required Domain from the dropdown list.

    3. Go to the Reports tab.

    4. Navigate to LAPS Audit.

    5. Select LAPS Password Expiry Changes.

  • The following are some of the details you can get in this report:

    1. New account name - Name of the computer object.

    2. Caller user name - Name of the user who has modified password expiration time and date.

    3. Modified time - The time at which the password expiration value has been modified.

    4. Modified attributes - Indicates the LAPS attribute that has been altered.

    5. New value - The present password expiration date and time after the modification.

    6. Old Value - The expiration date and time before the modification.

  • ADAudit Plus enables IT administrators to have a comprehensive picture of all the activities that happen within an organization's network. The real-time monitoring and out-of-the-box reports generated by ADAudit Plus makes it easier to track critical changes made to LAPS, and detect and prevent mishaps.

With native AD auditing, here is how you can monitor the LAPS password history:

  • Step 1: Enable 'Audit logon events' policy
  • Launch 'Server Manager' in your Windows Server instance.

  • Under Manage, select 'Group Policy Management' and launch the Group Policy Management console.

  • Navigate to 'Forest' --> 'Domain' --> 'Your domain' --> 'Domain Controllers'.

  • Create a new GPO and link it to the domain containing the computer object, or edit any existing GPO that is linked to the domain to open the 'Group Policy Management Editor'.

  • Navigate to 'Computer Configuration' ➔ 'Windows Settings' ➔ 'Security Settings' ➔ 'Advanced Audit Policy Configuration' ➔ 'System Audit Policies' ➔ 'DS Access'

  • Under DS Access, turn auditing on for Success and failure events of the following policies:

    1. Audit Directory Service Access

    2. Audit Directory Service Changes

  • In the GPMC, choose the modified GPO, and click 'Add' in the 'Security' section on the right pane.

  • Type 'everyone' in the text box to apply the modified GPO to all the objects, click 'Check Names' to confirm the same.

  • Press 'OK' and Exit GPMC.

  • To enforce these changes throughout the domain, run the command 'gpupdate /force', in the "Run" console.

  • Step 2: Allow AD Auditing through ADSI Edit
  • From your 'Server Manager' go to 'Tools' and select 'ADSI Edit'.

  • Right click 'ADSI Edit' node from the left pane and select 'Connect to' option. This pulls up the 'Connection Settings' window.

  • Select the 'Default Naming Context' option from the 'Select a well-known Naming Context' drop down list.

  • Click 'OK' and return to the ADSI Edit window. Expand 'Default Naming Context' and select the associated 'DC' subnode. Right-click this subnode and click 'Properties'.

  • In the 'Properties' window, go to the 'Security' tab and select 'Advanced'. After that select 'Auditing' tab and click 'Add'.

  • Click on Select a principal. This will bring up a Select User, Computer or Group Window.

  • Type Everyone in the textbox and verify it with Check Names.

  • The principal field in the Auditing Entry window now shows Everyone.

  • In the Type drop-down select All to audit for both success and failure events.

  • In the Select drop-down choose This object and all descendant object's. This allows the auditing of the OU's descendant objects.

  • Select Full Control in the Permissions section.

  • Click Apply, then OK, and close the console.

  • Step 3: View events in Event Viewer
  • In Event Viewer window, go to Windows Logs ➔ Security logs.

  • Click on Filter current log under Action in the right panel.

  • Search for Event ID 4662 that identifies password changes in LAPS.

  • You can double-click on the event to view Event Properties.

  • These steps need to be repeated for all the workstations to audit changes in LAPS. Manually checking every event is time-consuming, inefficient and practically impossible for large organizations.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

ADAudit Plus simplifies LAPS password history tracking by offering predefined LAPS Password Expiry Changes report along with intuitive graphical representation of the same for the ease of comprehension. ADAudit Plus also provides you the option to generate custom reports and export them in your preferred format (PDF, XLS, HTML, and CSV).

Related How-tos

Request Support

Thanks

One of our solution experts will get in touch with you shortly.

    Please enter business email address
  •  
     
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.