If LAPS (Local Administrator Password Solution) has been installed in an Active Directory domain and the ms-Mcs-AdmPwd attribute has been enabled for auditing in Change Auditor, the ms-Mcs-AdmPwd attribute audit data is displayed in plain text.
If Active Directory Event Logging has been enabled, the password is shown in clear text in the InTrust for AD event log on the agent. These events will be recorded in the InTrust for AD log even if ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExperationTime are not added as monitored attributes.
Microsoft's LAPS solution, by design stores the Local Administrator password in the ms-Mcs-AdmPwd Active Directory attribute in plain text. The Change Auditor agent, running as the Local System account on a Domain Controller has the required access to read this attribute data, this is intended and by design.
This detail, and further details on LAPS can found at the following links: