This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 31%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi
I want to know how can I track security logs in active directory after a helpdesk click on "show password" or after click on "expire now" on a computer account.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @Mighani
Unfortunately It's not passible to track who read the password
All LAPS event tracked under Applications and Services > Logs > Microsoft > Windows > LAPS > Operational.
I invite you to read this article for more details:
Password update confirmation events
Please don't forget to accept helpful answer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Mighani,
Thank you for posting in Q&A forum.
I agree with Thameur-BOURBITA. There are no event ID corresponding to click on "show password" or click on "expire now" on a computer account.
Here are some other event IDs for your references.
Windows LAPS troubleshooting guidance
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/windows-laps-troubleshooting-guidance
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
Hi @Mighani
Just cheking if there is any update
Please don't forget to accept helpful answer and close this thread
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 89%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
I know this is an old thread, but I just wanted to try and help.
I actually found a way to get a report on who has read the LAPS password. Here's my current environment setup:
Using Entra ID to manage LAPS
Devices enrolled in Intune
Endpoint Analytics enabled
Azure AD logs sent to Azure Workbooks
Using a KQL query, you can search for "Recover device local administrator password".
You’ll be able to see in detail who accessed the LAPS password and on which PC.
