Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Log LDAP queries

Posted on 2014-03-07
3
Medium Priority
?
474 Views
Last Modified: 2014-03-31
I would like to log all LDAP queries to a domain controller over a 24h period. What's the best approach? I'm looking for the content of the queries, not just the source.
0
Comment
Question by:albatros99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Accepted Solution

by:
eSourceONE earned 1500 total points
ID: 39912621
You could use portmirroring and tools like wireshark to monitor traffic on LDAP port 389.
This will only monitor the unencrypted traffic though. If your clients / software use LDAP over SSL you will see traffic on port 636 but won't be able to see the contents.

You should also read this:
http://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx

and this:
http://technet.microsoft.com/en-us/library/cc961809.aspx

and see if you can get ADS to log the queries in the windows security logs.

Hope this helps.

Best regards,

Lars
0
 
LVL 1

Expert Comment

by:miller3773
ID: 39913802
Netmon from Microsoft will also work and you can isolate only LDAP traffic.
0
 
LVL 3

Author Comment

by:albatros99
ID: 39966525
I ended up changing the following two keys:

HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics
"15 Field Engineering" set to 5 (default is 0)
 
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\
Expensive Search Results Threshold:DWORD set to 1

The information ends up in the Directory Service Log.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question