none
LAPS - Event id for password read and password expiry changes RRS feed

  • Question

  • Can partition audit “get-admpwdpassword” and “Reset-admpwdpassword”? As in my testing, after enable audit LAPS, get and reset events both record in event 4662, but could identify which one is get password and which one is reset password.
    Thursday, October 17, 2019 10:57 AM

Answers

  • Hi,

    I will suggest you confirm the current SACL settings:

    To minimizing audit noise, we should select least permissions for our auditing.

    In my lab, the SACL is configured at OU level, applies to Descendant Computer Objects and I just seleced the following permission items.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by liv.lam Monday, October 21, 2019 9:47 AM
    Monday, October 21, 2019 5:39 AM
    Moderator

All replies

  • Hi,

    We can check Operation part in event 4662 to identify which event is related to read password and which event is related to read current password.

    Please check the following screenshots:
    The accesses is Read Property when we read the current password.

    The accessed is Write Property when we reset password.

    For your reference:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 18, 2019 8:10 AM
    Moderator
  • However, in my event log, the Operation Accesses shows "Control Access" for both read and change password. is something what I missing?

    Best Regards,

    Liv.

    Monday, October 21, 2019 4:46 AM
  • Hi,

    I will suggest you confirm the current SACL settings:

    To minimizing audit noise, we should select least permissions for our auditing.

    In my lab, the SACL is configured at OU level, applies to Descendant Computer Objects and I just seleced the following permission items.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by liv.lam Monday, October 21, 2019 9:47 AM
    Monday, October 21, 2019 5:39 AM
    Moderator
  • Is that any event for succeed triggered to change the local administrator account password by GPO refresh?
    Thursday, October 24, 2019 7:05 AM
  • Is that any event for succeed triggered to change the local administrator account password by GPO refresh?

    Hi,

    If I understood your requirement correctly.

    I think you may want monitor event 627 on clients.

    Please check the following article:

    Note: the audit policy is not enabled on clients by default.

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-account-management

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 24, 2019 7:19 AM
    Moderator
  • Please correct me if wrong.

    After enabled audit for LAPS, then Event 4662 can audit logs for get/change password by using PowerShell scripts or LAPS UI. And this Event 4662 locate at DC.

    However, the password change automatically by LAPS GPO enable "Password Settings" to configure the "Password Age(Days)". what I means is whether has a event to trace reset password by LAPS GPO automatically? and I can identify GPO name that password reset event?

    Thursday, October 24, 2019 9:13 AM