We are looking to audit our LAPS password attribute reads, but we do not use the GUI tool from Microsoft to read the password attribute. The current LAPS Password Read report only seems to get the events that are generated by the gui tool and not the way we are using PowerShell and adsi searcher to grab the attribute.
Below is the powershell adsi code we are using to grab the attribute
- $computer = 'testpc'
- $filter = "(&(objectCategory=computer)(objectClass=computer)(cn=$Computer))"
- $pw = ([adsisearcher]$filter).FindOne().Properties['ms-Mcs-AdmPwd']
Below is the 4662 event on a domain controller from the above query
- An operation was performed on an object.
- Subject :
- Security ID: DOMAIN\USERNAME
- Account Name: USERNAME
- Account Domain: DOMAIN
- Logon ID: 0x165FB34B6
- Object Server: DS
- Object Type: computer
- Object Name: CN=COMPUTERNAME,OU=Computers,,DC=PLCH,DC=NET
- Handle ID: 0x0
- Operation Type: Object Access
- Accesses: Control Access
- Access Mask: 0x100
- Properties: Control Access
- Additional Information:
- Parameter 1: -
- Parameter 2:
Notice it does have the same guid's for the access:
But it also contains a few others and also has them in a different order.
Any help in getting this to show in the report is greatly appreciated.