Windows Server Event: 1644

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

System Event » Windows Server Event: 1644

Event ID 1644: LDAP searches.

Description This event logs an entry for each LDAP search made by a client against the directory that breaches the inexpensive and/or inefficient search thresholds. It will only be logged if you set the Field Engineering reg key to 5 or higher.
Category Directory service
Subcategory Field engineering

The event logs the following information:

  • Client
  • Starting node
  • Search scope
  • Filter
  • Subtree
  • Attribute selection
  • sAM Account name
  • Server controls
  • Visited entries
  • Returned entries

Reasons to monitor this event:

It can provide useful information if you are running applications that regularly generate expensive or inefficient queries.

Pro tips:

  • ADAudit Plus collects all the logs that record this event and present it in the form of a report.
  • These reports are generated in real time and represent every LDAP search made, with details about who made it, and from which domain controller.
  • These reports can also be included in alert profiles to notify the administrators when an LDAP search is made.