Home Windows Server Windows EventLog for Windows LAPS Events

Windows EventLog for Windows LAPS Events

Windows Server · 4. January 2025

To monitor Windows LAPS (Local Administrator Password Solution) activities in the Windows Event Log, you can track specific Event IDs. 

Key Windows LAPS Events IDs

The following events provide critical information about LAPS operations, such as password updates, policy processing, and authentication actions. Below is a list of key Event IDs and their descriptions:

Event IDDescription
10003LAPS policy processing is starting.
10004LAPS policy processing succeeded.
10005LAPS policy processing failed with an error code.
10018Successfully updated Active Directory with the new password.
10020Successfully updated the local administrator account with the new password.
10021Policy configured to back up the password to Windows Server Active Directory.
10022Policy configured to back up the password to Microsoft Entra ID (Azure AD).
10023Windows LAPS is configured to use a legacy Microsoft LAPS policy.
10029Successfully updated Microsoft Entra ID (Azure AD) with the new password.
10031Blocked an external request attempting to modify the managed account’s password.
10041Detected successful authentication for the managed account; post-authentication actions scheduled.
10042Post-authentication grace period expired; executing post-authentication actions.
10043Failed to reset the password after an authentication event; retrying until successful.
10044Successfully reset the password and completed all post-authentication actions.

Location of Logs in Event Viewer

The logs for Windows LAPS Events can be found in:

  • Applications and Services Logs > Microsoft > Windows > LAPS > Operational
LAPS Events Viewer - Example
LAPS Event Viewer – Example

Additional Monitoring Tips

  1. For newly created local accounts, monitor:
    • Event ID 4720: Found under Security logs, indicating a new local account creation1.
  2. Use tools like PowerShell (Get-LapsDiagnostics) or centralized monitoring solutions to collect and analyze the LAPS Events logs for proactive management
Get-LapsDiagnostics

Get-LapsDiagnostics: all data for this run was written to the following zip file:
C:\Users\ah\AppData\Local\Temp\2\LapsDiagnostics\LapsDiagnostics_FILE-2025_2024120812_152819.zip

You can use the following 3 code examples to do even more or check here for more details:

#A basic collection of LAPS diagnostic info to a specific output folder.
Get-LapsDiagnostics -OutputFolder c:\LapsDiagFolder
#The same as above but across a forced password reset
Get-LapsDiagnostics -OutputFolder c:\LapsDiagFolder -ResetPassword
#Same Output but including a Network Trace 
Get-LapsDiagnostics -CollectNetworkTrace

These Event IDs provide comprehensive insights into the functioning of Windows LAPS, enabling administrators to monitor and troubleshoot effectively.

Learn how to deploy Windows LAPS here and check out these videos for more details.

Spread the knowledge
Avatar for Andreas Hartig
Andreas Hartig
Andreas Hartig - MVP - Cloud and Datacenter Management, Microsoft Azure

Related Posts

error 0xC004FC07 and a dragon IT architect from the shadowrun world loosing his mind of resolving this error
Windows Server

Windows Server Activation Error 0xC004FC07 & 0xC004F069

· 26. April 2025

You are receiving error 0xC004FC07 when trying to apply a license to your Windows Server 2022 / 2025? Maybe your server is randomly shutting down after a few hours? This…

Spread the knowledge
Read more
An IT architect looking like a dragon from the shadowrun universe learning about Windows Server 2025 Change Version error 0xc004f050
Windows Server

Windows Server 2025 – Change Version error 0xc004f050

· 5. April 2025

When updating a Windows Server 2025 from Windows Standard to Windows Server 2025 Datacenter edition using the GUI, you did receive error 0xc004f050? Fix for Windows Server license upgrade error…

Spread the knowledge
Read more
Automatic Virtual Machine Activation with a dragon IT architect from the shadowrun world
Azure

AVMA – Simplifying Offline Device Activation

· 29. March 2025

AVMA can help in the ever-evolving world of IT, where managing software licenses across virtual machines (VMs) can be a daunting task, especially when dealing with offline devices. Traditional methods…

Spread the knowledge
Read more
IT Architect dragon from the shadowrun universe with Hyper V and Certificates theme
Windows Server

Windows Server 2025 – Hyper-V Import Error 0x80070057

· 1. March 2025

When exporting a Windows 10 / 11 VM from a Hyper-V Host and importing it, you can end up with error 0x80070057 “The key protector for the virtual machine ‘YourMachineName’…

Spread the knowledge
Read more
A dragon IT Architect in the shadowrun world looking very concentrated on a document to decided if he should migrate from LAPS to Windows LAPS and when.
Windows Server

Windows LAPS and Legacy LAPS – Key Differences

· 1. February 2025

Windows LAPS (Local Administrator Password Solution) is the successor to the legacy LAPS, offering significant improvements and new features while maintaining some of the core functionalities of its predecessor. Below…

Spread the knowledge
Read more
A dragon IT architect from the shadowrun world sitting on an egg protecting Active Directory
Windows Server

Windows Server 2025 – Part 7 (Active Directory Hardening)

· 16. January 2025

In today’s world, cybersecurity is not just a necessity; it’s a foundation for your business’s integrity and trustworthiness. One of the key components of this foundation is Active Directory hardening….

Spread the knowledge
Read more