Forum Audit Active Directory LAPS by Change Auditor

State Not Answered
Replies 5 replies
Subscribers 20 subscribers
Views 5536 views
Users 0 members are here

Options

Related

Audit Active Directory LAPS by Change Auditor

saleem mahdawi over 4 years ago

Hello ,

has anyone tried before to Audit AD LAPS by Change Auditor ? is its possible ? and if yes , how ?

I need to Audit below LAPS Events :

Users who have viewed passwords.
Users who have modified a password's expiration time and date.

Thanks

Saleem,

Parents

0 JohnnyQuest over 4 years ago

From a bit of research, it looks like the LAPS managed local admin password is stored in ms-Mcs-AdmPwd on the computer account.

You can try to add this as monitored in Change Auditor by:

Go to: Administration Tasks | Auditing

Select the computer class

Go down to the unmonitored attribute window and type ms-Mcs-AdmPwd into the filter.

If it shows up in the list, select it and click "Add" to make it a monitored attribute for computers.

Then go to Administration Tasks | Configuration

Select all your DCs

Click "Refresh Configuration".

See also this article as it also describes enabling native auditing for this change (not sure if this is needed to make CA see it)

https://4sysops.com/archives/part-2-faqs-for-microsoft-local-administrator-password-solution-laps/
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 JohnnyQuest over 4 years ago

From a bit of research, it looks like the LAPS managed local admin password is stored in ms-Mcs-AdmPwd on the computer account.

You can try to add this as monitored in Change Auditor by:

Go to: Administration Tasks | Auditing

Select the computer class

Go down to the unmonitored attribute window and type ms-Mcs-AdmPwd into the filter.

If it shows up in the list, select it and click "Add" to make it a monitored attribute for computers.

Then go to Administration Tasks | Configuration

Select all your DCs

Click "Refresh Configuration".

See also this article as it also describes enabling native auditing for this change (not sure if this is needed to make CA see it)

https://4sysops.com/archives/part-2-faqs-for-microsoft-local-administrator-password-solution-laps/
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 saleem mahdawi over 4 years ago in reply to JohnnyQuest
Thanks Johnny for your reply, I tried to add these attributes with no luck getting what i am looking for which are:

Users who have viewed passwords.

Users who have modified a password's expiration time and date.

this was Quest suggesion also , but it didnt work , something here is missing
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest over 4 years ago in reply to saleem mahdawi

Read events are normally not logged as there are too many - did they tell you how to turn on logging of read events for that property?

Have you done Google research on where the expiration time and date are stored? It's probably on the local machine so you would have to install a CA agent on each host to get that data.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 saleem mahdawi over 4 years ago in reply to JohnnyQuest

the replied that I have to add ms-Mcs-AdmPwd attribute to CA , which is already done , but still didnt get any LAPS Related,

its should be technically possible, manage engine AD plus application can grab such kind of report without the need of installing agent.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel