LAPS strange issue

2021-10-07T06:30:29.097+00:00

we have enabled AD audit to check the users who read/viewed local administrator password. our issue is that some users are not doing any action but still in the logs is showing that they have accessed and read the password attribute of LAPS.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,599 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,214 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,558 questions
0 comments No comments
{count} votes

Accepted answer
  1. Gary Reynolds 9,406 Reputation points
    2021-10-09T09:16:40.527+00:00

    Hi @Hussain Aziz Hassan Saleh - AC CESS

    I don't think there is a LAPS specific command to remove an existing SACL entry, there might be a generic powershell command that might be able to do it, or you can do it manually via the ADUC advanced permissions dialog under the Audit tab.

    Gary.


3 additional answers

Sort by: Most helpful
  1. Gary Reynolds 9,406 Reputation points
    2021-10-07T07:33:59.907+00:00

    During the installation and configuration LAPS you define the group that is able to read the ms-Mcs-AdmPwd attribute which contains the local admin password as managed by LAPS. Only members of this group and users or groups that have full control of the computer objects are able to read the password.

    A couple of things to check:

    The AD auditing is set to record the read of the ms-Mcs-AdmPwd attribute
    The users in question have rights to read the ms-Mcs-AdmPwd attribute

    It's common for AD functions that read the attributes of an object, to ask for all the attributes of the object i.e. attribute=*, if the user has rights to read the ms-Mcs-AdmPwd attribute, then this request will trigger the AD audit read event. So if there is a background task running in the context of the user that reads the AD computer object it could trigger the audit event, i.e. GPO update.

    Gary.

    0 comments No comments

  2. Limitless Technology 39,501 Reputation points
    2021-10-07T11:30:22.96+00:00

    Hello @Hussain Aziz Hassan Saleh - AC CESS

    This is a normal Audit event triggered by an attribute request rather than the user accessing the data. Basically whenever the system request to see some attributes it may include the ms-mcs-admpwd in AD, which will be done running with User context, thus appearing like the user read/view the administrator password. I can be safely ignored.

    Hope this helps with your query,

    -------
    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  3. 2021-10-09T07:22:33.067+00:00

    Thanks a lot..

    but what if the audit command was set to audit the Domain Admins group or Everyone such as:

    Set-AdmPwdAuditing -Identity:Clients -AuditedPrincipals:Everyone
    Set-AdmPwdAuditing -Identity:Clients -AuditedPrincipals:Domain Admins.

    and now I want to only audit a specific group ex. LapsAdminGroup. I tried setting the audit only for a specific group like the below:

    Set-AdmPwdAuditing -Identity:Clients -AuditedPrincipals:LapsAdminGroup

    but the Everyone or Domain Admins group still in effect and cannot be overridden.

    Is there a command or a away to remove these groups from auditing, I searched but i wasn't able to find.

    0 comments No comments