Log LDAP access of the Active directory

The windows Security event-log does track this, but it isn't easy to extract out of the firehose. The key markers of an LDAP login:

EventID: 4624
SubjectUserSID: S-1-5-18

The details will be lurking in these XML elements:

TargetUserName
IPAddress

If you're viewing things in the decoded text-view, the key markers are:

EventID: 4624
Network Information -> Workstation Name = name of the LDAP Server

The details will be:

Network Information -> Source Network Address
New Logon -> Account Name

The key thing that differentiates these login events from regular login events is that the ldap binds are in effect logging in TO the domain-controller in question. That's why the "Workstation Name" field is filled in.

Phrasing the search to get these events will prove tricky.

Log LDAP access of the Active directory

Tags:

Logging

Active Directory

Ldap

Related

Recent Posts