How to audit LDAP queries

LDAP queries can be used to find objects that meet certain criteria in the AD database such as the list of disabled user accounts, users with empty email value, groups created within the last 30 days, and so on. Auditing LDAP queries can help system admins ensure that the directory is not compromised and can also provide handy information if an organization is running applications that frequently generate expensive or inefficient queries.

The following is a comparison between auditing LDAP queries using native auditing and ManageEngine's ADAudit Plus, a comprehensive real-time Active Directory auditing solution.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • Login to ADAudit Plus web console as an administrator.

  • Navigate to the Server Audit tab and from the LDAP Auditing section in the left pane, select (i) Number of LDAP queries and (ii) Recent LDAP Queries reports. You can generate the results for the time period of your choice.

  • Select the domain and click Generate.

  • Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

  • This report displays the LDAP logs that are expensive and inefficient.

  • This report displays the LDAP queries made within a specific time period.

  • Enable LDAP auditing Open Registry Editor. Go to HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Services -> NTDS -> Diagnostics. Note: Set '15 Field Engineering' to '5'. This enables Expensive and Inefficient LDAP calls to be logged in Event Viewer.

  • View the logs Go to Event Viewer -> Filter Security log to locate the event IDs 1643 (to identify the expensive and inefficient LDAP logs) and 1644 (to identify the recent LDAP queries).

  • The details shown in Event Viewer are:

    1. Username

    2. Time of the event

    3. LDAP query search root

    4. LDAP query

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Here are some of the limitations to generate a report of LDAP queries in Active Directory using native auditing:

  • Here are some of the limitations to generate a report of LDAP queries in Active Directory using native auditing:
  • It's difficult to generate the report for different time zones and date formats.

With ADAudit Plus, it is easy to obtain a report of LDAP searches in Active Directory in just a few clicks. The details like who made the search, and from which domain controller, are displayed in a simple and intuitively designed UI. This report can also be included in alert profiles to notify the IT administrators when an LDAP search is made.

Related How-tos

Request Support


One of our solution experts will get in touch with you shortly.

    Please enter business email address
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.