Would you like to learn how to configure a group policy to audit the LDAP queries to Active Directory? In this tutorial, we will show you how to configure the monitoring of LDAP queries on the domain controllers using a GPO.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 10
• Windows 11

Equipment list

Here you can find the list of equipment used to create this tutorial.

This link will also show the software list used to create this tutorial.

Tutorial GPO - Monitor LDAP queries on Active Directory

On the domain controller, open the group policy management tool.

Windows - Group Policy management

Create a new group policy.

Windows 2012 - Group Policy Objects

Enter a name for the new group policy.

Windows - Add GPO

In our example, the new GPO was named: MY-GPO.

On the Group Policy Management screen, expand the folder named Group Policy Objects.

Right-click your new Group Policy Object and select the Edit option.

Windows - Edit GPO

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Right-click on the Registry option and create a Registry entry.

GPO - Add registry item

On the registry screen, perform the following configuration.

Copy to Clipboard

Click on the OK button.

GPO - Monitor LDAP on Active Directory

Create the second required registry entry.

Copy to Clipboard

Click on the OK button.

GPO - Expensive Search Results Threshold

Create the third registry entry.

Copy to Clipboard

Click on the OK button.

GPO - Inefficient Search Results Threshold

Create the forth registry entry.

Copy to Clipboard

Click on the OK button.

GPO - Search Time Threshold

Here is the configuration summary.

GPO - Audit LDAP events

To save the group policy configuration, you need to close the Group Policy editor.

Congratulations! You have finished the GPO creation.

Tutorial GPO - Monitor LDAP queries on Active Directory

On the Group policy management screen, link the GPO to the Domain controllers Organizational Unit.

GPO - Link to domain controllers

In our example, we linked the group policy named MY-GPO to the domain controllers.

GPO- tutorial linking

After applying the GPO you need to wait for 10 or 20 minutes.

During this time the GPO will be replicated to other domain controllers.

On a domain controller, start an elevated Powershell command line.

Windows 10 - powershell elevated

List events related to LDAP queries.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Get details from LDAP events.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Search for specific LDAP events.

Copy to Clipboard

In our example, we enabled the audit of LDAP events using a GPO.