![\"\"](\"https:\/\/www.adminbyrequest.com\/en\/wp-content\/uploads\/2025\/11\/inline-1-1024x574.png\")
<\/figure>\n\n\n\nLAPS Logs Password Retrieval, Not What Happens During the Session<\/h2>\n\n\n\n
LAPS tells you when someone retrieved a password from AD, but it doesn’t tell you what they did with it.<\/p>\n\n\n\n
When you enable auditing for Legacy LAPS (which isn’t on by default), Event ID 4662 gets logged on your domain controllers whenever someone accesses the password attribute. Windows LAPS uses similar audit mechanisms, whether storing passwords in Active Directory or Entra ID. You can see who grabbed the password and when.<\/p>\n\n\n\n
What you can’t see:<\/p>\n\n\n\n
- \n
- What applications they ran with admin rights<\/li>\n\n\n\n
- What system changes they made<\/li>\n\n\n\n
- What files they accessed or modified<\/li>\n\n\n\n
- How long the session actually lasted<\/li>\n\n\n\n
- Whether multiple techs shared the same password<\/li>\n<\/ul>\n\n\n\n
LAPS tracks password access<\/em>, not password usage<\/em>. That’s a significant gap for compliance requirements that demand detailed session auditing.<\/p>\n\n\n\n
Multiple techs might use the same LAPS password before it rotates. If something goes wrong during an admin session, you know someone accessed the password, but not necessarily who was actually logged in when the incident occurred.<\/p>\n\n\n\n
Cloud and Hybrid Environments Create LAPS Complications<\/h2>\n\n\n\n
Legacy LAPS only works with on-premises Active Directory. If you’re cloud-first or Azure AD-only, Legacy LAPS isn’t an option.<\/p>\n\n\n\n
Windows LAPS, introduced in April 2023<\/a>, added Entra ID support, which helps cloud-native organizations. But it comes with a constraint: each device can only back up passwords to either Active Directory or Entra ID, not both. You can have different devices in your organization use different backends, but each individual device must choose one directory.<\/p>\n\n\n\n
For hybrid environments where some devices are AD-joined and others are Entra ID-joined, this creates complexity. You need to manage two separate LAPS configurations or force all devices to use a single directory backend.<\/p>\n\n\n\n
The April 2023 rollout of Windows LAPS also created interoperability problems<\/a>. Organizations running both Windows LAPS and Legacy LAPS on the same devices experienced failures where both implementations broke<\/a>. Microsoft provided workarounds, but the migration path wasn’t smooth.<\/p>\n\n\n\n
Cloud-native organizations using only Entra ID can make Windows LAPS work, but they’re still constrained by the same connectivity requirements and audit limitations.<\/p>\n\n\n\n
The Workflow Friction Adds Up<\/h2>\n\n\n\n
LAPS creates workflow friction that scales poorly:<\/p>\n\n\n\n
- \n
- Admin needs emergency access to a device<\/li>\n\n\n\n
- Admin or helpdesk finds device in Active Directory or Azure portal (for Windows LAPS with Entra ID)<\/li>\n\n\n\n
- Admin retrieves password through LAPS GUI, PowerShell, Azure portal, or RSAT<\/li>\n\n\n\n
- Admin somehow delivers password to the tech who needs it<\/li>\n\n\n\n
- Tech logs in using shared credential<\/li>\n\n\n\n
- Tech logs out when done<\/li>\n\n\n\n
- Password eventually rotates based on policy<\/li>\n<\/ol>\n\n\n\n
This process works for occasional use but multiply it across dozens of daily requests in a large organization and it\u2019ll add up.<\/p>\n\n\n\n
Mobile access compounds this. Retrieving LAPS passwords typically requires RSAT tools or PowerShell. There’s no mobile-friendly option for on-call administrators who need to grant access outside business hours.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.adminbyrequest.com\/en\/wp-content\/uploads\/2025\/11\/inline-2-1024x574.png\")
<\/figure>\n\n\n\nA Different Approach: Break Glass Accounts<\/h2>\n\n\n\n