Troubleshooting

No data available

Cause

This error occurs when there is no valid LAPS event being logged.

Troubleshooting

Verify that LAPS events are being logged in the Event Viewer when the Windows LAPS password is read on the domain controller.

Follow the steps below:

1. Note the current time in UTC (in the following format: 2025-02-19T12:25:00.0000000Z).
2. Note the SchemaIDGUID of the LAPS attributes.
   • Open the ADSI Edit tool on your domain controller.
   • Expand the schema node in the left pane, and click the CN=Schema,CN=Configuration,DC=<your domain> folder.
   • Scroll down the list and find ms-LAPS-Password.
   • Double-click it, scroll down the list to find the attribute SchemaIDGUID, and note it down.
   • Likewise, note down the SchemaIDGUID for ms-LAPS-EncryptedPassword and ms-LAPS-EncryptedDSRMPassword.
3. Do a sample LAPS Password Read to generate the event.
4. Navigate to Event Viewer > Windows Logs > Security.
5. Under the Actions pane, click Filter Current Log and go to the XML tab.
6. Check the Edit Query Manually box and paste the following query after replacing the system time noted earlier.

   <QueryList>
   <Query Id="0" Path="Security">
   <Select Path="Security">
   *[System[TimeCreated[@SystemTime>'2025-02-19T12:25:00.0000000Z']]] and
   *[System[EventID="4662"]] and
   *[System[Keywords="0x8020000000000000"]] and
   *[EventData[Data[@Name='AccessMask']='0x100']] and
   *[EventData[Data[@Name='ObjectType']='%{bf967a86-0de6-11d0-a285-00aa003049e2}']]
   </Select>
   </Query>
   </QueryList>

7. Check whether the listed events are valid LAPS events by verifying that the Account Name is correct and the Properties field contains the list of SchemaIDGUIDs noted earlier.
8. If you are able to find them, then there are valid LAPS events being logged, but you are not able to audit them via ADAudit Plus. Please contact support@adauditplus.com to fix the issue.