ADAudit Plus Laps Report

ADAudit Plus Laps Report

We are looking to audit our LAPS password attribute reads, but we do not use the GUI tool from Microsoft to read the password attribute. The current LAPS Password Read report only seems to get the events that are generated by the gui tool and not the way we are using PowerShell and adsi searcher to grab the attribute.

Below is the powershell adsi code we are using to grab the attribute
  1. $computer = 'testpc'
  2. $filter = "(&(objectCategory=computer)(objectClass=computer)(cn=$Computer))"
  3. $pw = ([adsisearcher]$filter).FindOne().Properties['ms-Mcs-AdmPwd']
Below is the 4662 event on a domain controller from the above query
  1. An operation was performed on an object.

  2. Subject :
  4. Account Name: USERNAME
  5. Account Domain: DOMAIN
  6. Logon ID: 0x165FB34B6

  7. Object:
  8. Object Server: DS
  9. Object Type: computer
  10. Object Name: CN=COMPUTERNAME,OU=Computers,,DC=PLCH,DC=NET
  11. Handle ID: 0x0

  12. Operation:
  13. Operation Type: Object Access
  14. Accesses: Control Access
  15. Access Mask: 0x100
  16. Properties: Control Access
  17. {bf967a86-0de6-11d0-a285-00aa003049e2}
  18. {91e647de-d96f-4b70-9557-d63ff4f3ccd8}
  19. {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
  20. {b3f93023-9239-4f7c-b99c-6745d87adbc2}
  21. {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
  22. {b7ff5a38-0818-42b0-8110-d3d154c97f24}
  23. {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
  24. {aa4e1a6d-550d-4e05-8c35-4afcb917a9fe}
  25. {612cb747-c0e8-4f92-9221-fdd5f15b550d}
  26. {4f0d3fc5-ba76-46f5-b8ca-119d985365d6}

  27. Additional Information:
  28. Parameter 1: -
  29. Parameter 2:

Notice it does have the same guid's for the access:

But it also contains a few others and also has them in a different order.

Any help in getting this to show in the report is greatly appreciated.

      New to ADSelfService Plus?