LDAP Binding March 2020

Hi all,

Many of you must have seen this:



I started to look what systems are causing us LDAP queries and of course I’m lazy so I wrote some PS.

[PRE]$cred = Get-Credential #DA creds
$DCs = Get-ADDomain | select -ExpandProperty replicadirectoryServers | select @{N=‘ComputerName’;E={$_.split(’.’)[0]}} | select -ExpandProperty ComputerName

##Enable 2889 logs
$script1 = {
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v “16 LDAP Interface Events” /t REG_DWORD /d 2 /f
Limit-Eventlog -Logname ‘Directory Service’ -MaximumSize 10MB -OverflowAction OverwriteAsNeeded

invoke-command -Credential $cred -computername $DCs -scriptblock $script1

#Fetch logs
$script2 = {

$filter = @"
<Query Id=“0” Path=“Directory Service”>
<Select Path=“Directory Service”>*[System[Provider[@Name=‘Microsoft-Windows-ActiveDirectory_DomainService’] and (EventID=2889)]]</Select>

$ipaddr = @{ label=“IP Address”; Expression={$.properties[0].value} }
$client = @{ label=“Client”; Expression={$
.properties[1].value} }
Get-WinEvent -FilterXML $filter -MaxEvents 5 | select $ipaddr,$client

invoke-command -Credential $cred -computername $DCs -scriptblock $script2 | Group-Object client


The XML filter breaks. Get it from here: https://www.uvm.edu/~gcd/2010/11/event-data-mining-with-powershell/


Has a good powershell script already written that dumps to CSV.