To monitor Windows LAPS (Local Administrator Password Solution) activities in the Windows Event Log, you can track specific Event IDs.
Table of Contents
Key Windows LAPS Events IDs
The following events provide critical information about LAPS operations, such as password updates, policy processing, and authentication actions. Below is a list of key Event IDs and their descriptions:
Event ID | Description |
---|---|
10003 | LAPS policy processing is starting. |
10004 | LAPS policy processing succeeded. |
10005 | LAPS policy processing failed with an error code. |
10018 | Successfully updated Active Directory with the new password. |
10020 | Successfully updated the local administrator account with the new password. |
10021 | Policy configured to back up the password to Windows Server Active Directory. |
10022 | Policy configured to back up the password to Microsoft Entra ID (Azure AD). |
10023 | Windows LAPS is configured to use a legacy Microsoft LAPS policy. |
10029 | Successfully updated Microsoft Entra ID (Azure AD) with the new password. |
10031 | Blocked an external request attempting to modify the managed account’s password. |
10041 | Detected successful authentication for the managed account; post-authentication actions scheduled. |
10042 | Post-authentication grace period expired; executing post-authentication actions. |
10043 | Failed to reset the password after an authentication event; retrying until successful. |
10044 | Successfully reset the password and completed all post-authentication actions. |
Location of Logs in Event Viewer
The logs for Windows LAPS Events can be found in:
- Applications and Services Logs > Microsoft > Windows > LAPS > Operational
Additional Monitoring Tips
- For newly created local accounts, monitor:
- Event ID 4720: Found under Security logs, indicating a new local account creation1.
- Use tools like PowerShell (
Get-LapsDiagnostics
) or centralized monitoring solutions to collect and analyze the LAPS Events logs for proactive management
Get-LapsDiagnostics
Get-LapsDiagnostics: all data for this run was written to the following zip file:
C:\Users\ah\AppData\Local\Temp\2\LapsDiagnostics\LapsDiagnostics_FILE-2025_2024120812_152819.zip
You can use the following 3 code examples to do even more or check here for more details:
#A basic collection of LAPS diagnostic info to a specific output folder.
Get-LapsDiagnostics -OutputFolder c:\LapsDiagFolder
#The same as above but across a forced password reset
Get-LapsDiagnostics -OutputFolder c:\LapsDiagFolder -ResetPassword
#Same Output but including a Network Trace
Get-LapsDiagnostics -CollectNetworkTrace
These Event IDs provide comprehensive insights into the functioning of Windows LAPS, enabling administrators to monitor and troubleshoot effectively.
Learn how to deploy Windows LAPS here and check out these videos for more details.