Windows EventLog for Windows LAPS Events

To monitor Windows LAPS (Local Administrator Password Solution) activities in the Windows Event Log, you can track specific Event IDs. 

Key Windows LAPS Events IDs

The following events provide critical information about LAPS operations, such as password updates, policy processing, and authentication actions. Below is a list of key Event IDs and their descriptions:

Event IDDescription
10003LAPS policy processing is starting.
10004LAPS policy processing succeeded.
10005LAPS policy processing failed with an error code.
10018Successfully updated Active Directory with the new password.
10020Successfully updated the local administrator account with the new password.
10021Policy configured to back up the password to Windows Server Active Directory.
10022Policy configured to back up the password to Microsoft Entra ID (Azure AD).
10023Windows LAPS is configured to use a legacy Microsoft LAPS policy.
10029Successfully updated Microsoft Entra ID (Azure AD) with the new password.
10031Blocked an external request attempting to modify the managed account’s password.
10041Detected successful authentication for the managed account; post-authentication actions scheduled.
10042Post-authentication grace period expired; executing post-authentication actions.
10043Failed to reset the password after an authentication event; retrying until successful.
10044Successfully reset the password and completed all post-authentication actions.

Location of Logs in Event Viewer

The logs for Windows LAPS Events can be found in:

  • Applications and Services Logs > Microsoft > Windows > LAPS > Operational
LAPS Events  Viewer - Example
LAPS Event Viewer – Example

Additional Monitoring Tips

  1. For newly created local accounts, monitor:
    • Event ID 4720: Found under Security logs, indicating a new local account creation1.
  2. Use tools like PowerShell (Get-LapsDiagnostics) or centralized monitoring solutions to collect and analyze the LAPS Events logs for proactive management
Get-LapsDiagnostics

Get-LapsDiagnostics: all data for this run was written to the following zip file:
C:\Users\ah\AppData\Local\Temp\2\LapsDiagnostics\LapsDiagnostics_FILE-2025_2024120812_152819.zip

You can use the following 3 code examples to do even more or check here for more details:

#A basic collection of LAPS diagnostic info to a specific output folder.
Get-LapsDiagnostics -OutputFolder c:\LapsDiagFolder
#The same as above but across a forced password reset
Get-LapsDiagnostics -OutputFolder c:\LapsDiagFolder -ResetPassword
#Same Output but including a Network Trace 
Get-LapsDiagnostics -CollectNetworkTrace

These Event IDs provide comprehensive insights into the functioning of Windows LAPS, enabling administrators to monitor and troubleshoot effectively.

Learn how to deploy Windows LAPS here and check out these videos for more details.

Avatar for Andreas Hartig
Andreas Hartig - MVP - Cloud and Datacenter Management, Microsoft Azure

Related Posts

WAU Happy Dragons crazy about 110 percent security

Schedule Winget Auto Updates for operational usage

Deploying Winget Auto Updates (WAU) gives you a functional update baseline, for full functionality we need to configure more to get ready for production. If servers query the Winget repository…

Read more
WAU Happy Dragons about improved security

Centralized Software Patch Management: Deploying Winget Auto Updates (WAU) via Active Directory GPO

Deploying Winget Auto Updates for Software Patch Management for managing third-party software updates across an IT infrastructure typically requires expensive enterprise solutions. This article provides a technical guide on how…

Read more
Stay Hydrated Drink enoughv2

GPO Central Store – Help! My PolicyDefinitions Folder is missing

Your PolicyDefinitions Folder is missing? The GPO Central Store is key for Managing Group Policy Objects (GPOs) across multiple domain controllers can introduce configuration drift if administrative templates are not…

Read more
A single control plane for LAPS using AzureArc

Legacy LAPS vs. Windows LAPS vs. LAPS for Azure Arc

LAPS for Azure Arc is the new shining star, after for years, IT teams relied on the classic, legacy Microsoft LAPS tool. Microsoft then integrated Windows LAPS directly into the…

Read more
Dragons looking at AccountLockout Tool

AD Account Lockout (Free Tool)

The AD Account Lockout tool is free and very valuable in troubleshooting account lockouts in Active Directory. This is a task as old as the directory service itself. Even in…

Read more
Windows Server Summit 2026 Day 3 Dragons

Windows Server Summit 2026 Day 3

Introduction to Windows Server Summit 2026 Day 3 The final day of the Windows Server Summit 2026 shifted the spotlight from overarching hybrid control planes toward core infrastructure, protocol modernization,…

Read more