When securing Active Directory environments, administrators often need to track LDAP/LDAPS access patterns. While packet captures can reveal source IP addresses, encrypted LDAPS (port 636) traffic obscures usernames in transit. The core requirement is to log both:

• Authenticated usernames
• Source IP addresses
• For both cleartext (389) and encrypted (636) connections

Enable Directory Service Access auditing through Group Policy:

# PowerShell to enable DS access auditing
Set-GPOAuditPolicy -Path "Default Domain Controllers Policy" -Category "DS Access" -Success Enable -Failure Enable

Then configure SACL for relevant objects:

# Using ADSI Edit to set SACL on the domain root
([ADSI]"LDAP://RootDSE").psbase.ObjectSecurity.AuditRuleFactory(
    "Everyone",
    "ReadProperty",
    $true,
    "None",
    "Guid",
    "Guid",
    "All"
).AddAuditRule()

Look for Event ID 4662 in Security logs. Here's a sample PowerShell parser:

Get-WinEvent -LogName Security -FilterXPath '*[System[EventID=4662]]' | 
Where-Object {$_.Properties[8].Value -like "*LDAP*"} | 
Select-Object TimeCreated,
    @{Name='Username';Expression={$_.Properties[1].Value}},
    @{Name='SourceIP';Expression={$_.Properties[6].Value}},
    @{Name='Access';Expression={$_.Properties[3].Value}}

For high-volume environments, use Event Tracing for Windows:

# Start ETW session
logman create trace "LDAPAudit" -ow -o ldap.etl -p "Microsoft-Windows-LDAP-Client" 0xffff -nb 128 128 -bs 1024
logman start "LDAPAudit"

# Parse events later
tracerpt ldap.etl -o ldap.csv -of CSV

If native logging isn't sufficient, consider:

1. Deploying a dedicated LDAP proxy (like nginx)
2. Using NetFlow/sFlow capable switches
3. Implementing a SIEM solution (Splunk/ELK)

Example nginx config snippet for LDAP logging:

stream {
    server {
        listen 3389;
        proxy_pass domain_controller:389;
        access_log /var/log/ldap_access.log combined;
    }
}

When monitoring Active Directory security, logging LDAP (port 389) and LDAPS (port 636) access attempts is crucial for security auditing. While packet captures can reveal source IP addresses, extracting usernames from encrypted LDAPS traffic requires deeper Windows integration.

Active Directory provides built-in auditing capabilities through Event Tracing for Windows (ETW) and security event logs:

# PowerShell command to enable detailed LDAP logging
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics" -Name "16 LDAP Interface Events" -Value 5

1. Open Group Policy Management (gpmc.msc)
2. Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies
3. Enable "DS Access" category with "Audit Directory Service Access"

Successful authentications generate Event ID 4662 with these key fields:

Subject:
  Security ID:  S-1-5-21-...
  Account Name:  ADMINISTRATOR
  Account Domain:  CONTOSO
  Logon ID:  0xABC123

Object:
  Object Server:  DS
  Object Type:  user
  Object Name:  CN=John Doe,OU=Users,DC=contoso,DC=com

For comprehensive logging, configure an ETW trace session:

# Create ETW session
logman create trace "LDAPDebug" -ow -o C:\Temp\LDAPDebug.etl -p "Microsoft-Windows-LDAP-Client" 0xffffffffffffffff -ets

# Stop after 1 hour (optional)
logman update trace "LDAPDebug" -e 01:00:00 -ets

This script extracts relevant authentication data:

Get-WinEvent -LogName "Security" -FilterXPath '*[System[EventID=4662]]' | 
Where-Object { $_.Properties[6].Value -like "*LDAP*" } | 
Select-Object TimeCreated,
    @{Name='User';Expression={$_.Properties[1].Value}},
    @{Name='SourceIP';Expression={
        ($_.Properties[18].Value -split ":")[0] 
    }}

• Microsoft Advanced Threat Analytics (ATA)
• Azure Sentinel LDAP monitoring
• SolarWinds Access Rights Manager

When implementing detailed LDAP auditing: