Monday, 17 February 2014

Monitor / trace live LDAP queries against Active Directory

I have recently been trying to trace all LDAP queries executed against Active Directory and found it difficult to find any Microsoft tools to perform this task. The ADInsight tool seems to be deprecated and has several issues including running on virtual machines.

The simplest solution I found was here.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c1677d2b-7e29-4382-9bea-84f3399d37e3/ldap-connectionsqueries-logging?forum=winserverDS

By setting the following registry entries the LDAP queries are logged to the Directory Services event log

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostic
15 Field Engineering
DWORD = 5

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Expensive Search Results Threshold
DWORD = 1

Inefficient Search Results Threshold
DWORD = 1


1 comment:

  1. Why not document your Active Directory configuration with our network audit tool

    http://www.centrel-solutions.com/XIAConfiguration/Capabilities.aspx?capability=ActiveDirectory

    ReplyDelete