Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

How to audit LAPS password access using Windows PowerShell and ADAudit Plus

Local Administrator Password Solution (LAPS) has helped improve network security by assigning strong, unique passwords that can also be changed routinely. However, as these passwords are centrally stored in Active Directory, there is a risk that unauthorized users could also access the password reserve and login to any of the workstations. Since LAPS does not have a built-in auditing function, third-party applications will have to be used to audit the users who access the local administrator passwords.

ManageEngine ADAudit Plus, a real-time AD auditing solution offers a much easier alternative to the same process performed in native AD.

This article elaborates the ways of auditing LAPS password access using Windows PowerShell and ADAudit Plus.

Using Windows PowerShell

PowerShell can set up auditing of LAPS password access. This would audit the users who access the LAPS passwords in Active Directory and the information will be recorded in AD Event Viewer with the event ID 4662.

To set up PowerShell auditing:

  • Identify the domain you need to audit.
  • Import AdmPwd.PS module.
  • Write the code. A sample PowerShell script has been attached to the end of this section.
  • Compile the script.
  • Execute it in PowerShell.
  • This will set up the auditing.

Here is a sample script:

Set-AdmPwdAuditing -Identity:Clients -AuditedPrincipals:Everyone

Using ADAudit Plus

  • In ADAudit Plus console, click on Reports> LAPS Audits> LAPS Password Read to generate a report on the users who have accessed the passwords.
  • Select the relevant domain and OU.
  • Click Export to export the report in the different formats listed (CSV, PDF, HTML, CSVDE, XLSX).

LAPS Password Reports reveal the users who have accessed the passwords in the chosen time frame. Only a small group of authorized users, usually network administrators, are allowed to access the passwords. Regularly checking the report can help ensure that only the designated users have access to the information.

Here is a sample report:

powershell-set-admpwdauditing-1

These are the limitations of using PowerShell to audit LAPS:

  • PowerShell can only enable auditing. It does not give the report itself.
  • This method requires the usage of multiple applications for auditing. Administrators have to enable the auditing in PowerShell and look into Event Viewer to get the information about the users who accessed the LAPS password. Even with the Event Viewer, it is not possible to comprehensively view all the LAPS password accesses in the form of a single report. Manually sifting through all the events will be time-consuming.

ADAudit Plus is an Active Directory auditing and reporting tool that continuously audits the network and generates pre-packaged reports on all AD objects. It also creates real-time alerts in the event of any suspicious activity on the network. It has a separate section for LAPs and can swiftly generate reports as and when needed.

  • Avoid complex PowerShell-scripting, and simplify AD change auditing with ADAudit Plus.
  •  
  • By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.
  •  
  • Thanks!
  • Your download is in progress and it will be completed in just a few seconds! If you face any issues, download manually here.

Related Resources

ADAudit Plus Trusted By