Log LDAP access of the Active directory
The windows Security event-log does track this, but it isn't easy to extract out of the firehose. The key markers of an LDAP login:
- EventID: 4624
- SubjectUserSID: S-1-5-18
The details will be lurking in these XML elements:
- TargetUserName
- IPAddress
If you're viewing things in the decoded text-view, the key markers are:
- EventID: 4624
- Network Information -> Workstation Name = name of the LDAP Server
The details will be:
- Network Information -> Source Network Address
- New Logon -> Account Name
The key thing that differentiates these login events from regular login events is that the ldap binds are in effect logging in TO the domain-controller in question. That's why the "Workstation Name" field is filled in.
Phrasing the search to get these events will prove tricky.