en-US/about_PSLDAPQueryLogging.help.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
This module simplifies enabling the LDAP query diagnostic logging discussed by Mark Morowczynski:
 
http://blogs.technet.com/b/askpfeplat/archive/2015/05/11/how-to-find-expensive-inefficient-and-long-running-ldap-queries-in-active-directory.aspx
 
Functions:
 
    * Test-LDAPQueryLoggingPrerequisites: Check to see if a domain controller meets the prerequisites for this logging
    * Enable-LDAPQueryLogging : Enable diagnostic logging and set parameters as discussed by Mark
    * Get-LDAPQueryLogging : Check the current state, including whether logging is enabled, and parameter values.
    * Disable-LDAPQueryLogging : Disable diagnostic logging and set parameters back to defaults
 
Prerequisites:
 
    * Access to the domain controller
    * Server 2012 R2 *or*
    * Server 2008, 2008 R2, or 2012 with KBKB2800945
        https://support.microsoft.com/en-us/kb/2800945/en-us
 
Example Scenario:
 
    # Import the module
        Import-Module PSLDAPQueryLogging -force
 
    # Get domain controllers using the ActiveDirectory module
    $DCs = Get-ADDomainController -Filter * | Select -ExpandProperty Name
 
    # Enable logging temporarily on the domain controllers
    # We set search time threshold covering queries under over 30 ms (default is 100 ms)
    $DCs | Enable-LDAPQueryLogging -SearchTimeThreshold 30
 
    # Wait a bit
    "$(Get-Date): Sleeping 10 minutes..."
    Start-Sleep -Seconds (10*60)
 
    # Collect your logs!
    # Many ways to do this. Not PowerShell, but I find wevtutil to be quite fast.
    $Comp = $ENV:ComputerName
    Invoke-Command -ComputerName $DCs -ScriptBlock {wevtutil epl 'Directory Service' "\\$Using:Comp\c$\$ENV:ComputerName-Evil.evtx"}
 
    # Disable the logging...
    $DCs | Disable-LDAPQueryLogging
 
    # Parse events as desired, perhaps using Ming's script
        # https://gallery.technet.microsoft.com/scriptcenter/Event-1644-reader-Export-45205268
        dir C:\*evil.evtx