none
Audit log [LAPS]

    Question

  • In implement LAPS, I have already run command "Set-AdmPwdAuditing -OrgUnit LAPSPC -AuditedPrincipals LAPSAdmin" but still cannot see audit log in security log on system event 4662.

    • Moved by nzpcmad1 Monday, September 18, 2017 6:50 PM From ADFS
    Monday, September 18, 2017 1:31 PM

All replies

  • LAPS access auditing:

    Set-AdmPwdAuditing –OrgUnit: <name of OU on which you want to setup the auditing> -AuditedPrincipals: :<identification of users/groups whose access to password shall be audited>

    When someone accesses the LAPS password attribute, event ID 4662 is logged on the Domain Controller that responded to the read request.

    Microsoft Local Administrator Password Solution (LAPS):
    https://adsecurity.org/?p=1790

    LAPS Audit Reporting via WEF PoSH and PowerBI:
    https://blogs.technet.microsoft.com/kfalde/2015/11/18/laps-audit-reporting-via-wef-posh-and-powerbi/

    Thanks,


    Solution for Active Directory auditing, monitoring and management.

    • Proposed as answer by AnveedBanned Tuesday, September 19, 2017 1:20 PM
    Tuesday, September 19, 2017 6:52 AM
  • I have already run the command for auditing and access password on 3 way: 1. Client FAT UI 2. Computer properties 3. Run command get password on powershell But I'm not see event 4662 on window log on the Domain Controller. Why the log not appear?
    Tuesday, September 19, 2017 2:26 PM
  • Hi,

    Based on my research, event 4662 generates every time when an operation was performed on an Active Directory object. I will give you the following recommendations. Hope it is helpful to you:
    1. Please run auditpol /get /category:* on the DC to see if the subcategory Directory Service Access sets to Success and Failure.
    2. If not, you could have a try to create a group policy on DC and enable this setting under: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access > Audit Directory Service Access

    For more information about event 4662, please refer to the following article:
    4662(S, F): An operation was performed on an object.
    https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4662

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 20, 2017 11:07 AM
  • I have already set follow step 2 on your suggest but It don't show event 4662 on domain controller log. By the way, AD sever run on window server 2008 and client run on window 7 and window 10. And then I access password of the PC by client FAT UI on other PC client. I'm not sure, If possible I use the LAPSAdmin group to access password and log on Domain controller?
    Sunday, September 24, 2017 9:53 AM
  • Hi,
     
    Thanks for sharing your current progress.

    Based on your situation, I recommend you could have a try to query the Local Administrator Password directly on the DC to see if the Event 4662 appears.
    Also, if you want to query the Local Administrator Password on the client and log Event 4662 on DC, you might also need to set the subcategory Directory Service Access on the client to Success and Failure.

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 26, 2017 12:44 PM
  • Hi, Albert I have alresdy access password on domain controller by run command Get-AdmPwdPassword -Computername Client7 on powershell but log event 4662 not appear.
    Wednesday, September 27, 2017 7:19 AM
  • Hi,

    Based on your situation, this is not a normal behavior. I would suggest you open up a case with Microsoft Technical Support to see if they could get more information regarding this problem: https://www.microsoft.com/en-us/worldwide.aspx.

    Thanks for your understanding and cooperation.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 29, 2017 8:56 AM