Directory Service logs
I set Verbose level:
(Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics")."16 LDAP Interface Events"
0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics" -Name "16 LDAP Interface Events" -Value 5
net stop ntds
The following services are dependent on the Active Directory Domain Services service.
Stopping the Active Directory Domain Services service will also stop these services.
Kerberos Key Distribution Center
Intersite Messaging
DNS Server
DFS Replication
Do you want to continue this operation? (Y/N) [N]: Y
The Kerberos Key Distribution Center service is stopping.
The Kerberos Key Distribution Center service was stopped successfully.
The Intersite Messaging service is stopping.
The Intersite Messaging service was stopped successfully.
The DNS Server service is stopping.
The DNS Server service was stopped successfully.
.
The DFS Replication service was stopped successfully.
The Active Directory Domain Services service is stopping.
The Active Directory Domain Services service was stopped successfully.
net start ntds
The Active Directory Domain Services service is starting.
The Active Directory Domain Services service was started successfully.
and queried the logs:
Get-WinEvent -LogName "Directory Service" -MaxEvents 5 | Format-List TimeCreated, Id, LevelDisplayName, Message
TimeCreated : 10/10/2025 2:22:12 AM
Id : 1139
LevelDisplayName : Information
Message : Internal event: Function ldap_search exited.
Elapsed time (ms): 0
SID: S-1-5-18
Source IP: 127.0.0.1:62077
Operation identifier: 82
Data1:
Data2: 846795562
Data3: 846795562
TimeCreated : 10/10/2025 2:22:12 AM
Id : 1138
LevelDisplayName : Information
Message : Internal event: Function ldap_search entered.
SID: S-1-5-18
Source IP: 127.0.0.1:62077
Operation identifier: 82
Data1:
Data2: 846795562
Data3:
Data4:
TimeCreated : 10/10/2025 2:22:12 AM
Id : 1139
LevelDisplayName : Information
Message : Internal event: Function ldap_search exited.
Elapsed time (ms): 0
SID: S-1-5-18
Source IP: 127.0.0.1:62077
Operation identifier: 82
Data1:
Data2: 846795562
Data3: 846795562
TimeCreated : 10/10/2025 2:22:12 AM
Id : 1138
LevelDisplayName : Information
Message : Internal event: Function ldap_search entered.
SID: S-1-5-18
Source IP: 127.0.0.1:62077
Operation identifier: 82
Data1:
Data2: 846795562
Data3:
Data4:
TimeCreated : 10/10/2025 2:22:12 AM
Id : 1139
LevelDisplayName : Information
Message : Internal event: Function ldap_bind exited.
Elapsed time (ms): 0
SID: S-1-5-18
Source IP: 127.0.0.1:62077
Operation identifier: 82
Data1:
Data2: 846795562
Data3: 846795562
Security log
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4624)]]" -MaxEvents 1 | Format-List TimeCreated, Id, LevelDisplayName, Message
TimeCreated : 10/10/2025 2:13:32 AM
Id : 4624
LevelDisplayName : Information
Message : An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: MYSERVER$
Account Domain: MY
Logon ID: 0x3E7
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-3363646389-1292239499-3829167393-500
Account Name: Administrator
Account Domain: MY
Logon ID: 0x70D9F4A
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x394
Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: MYSERVER
Source Network Address: 192.168.0.170
Source Port: 51362
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or
Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
LDAP query
export ad_ip="127.0.0.1"
export ad_user="administrator@my.local"
export ad_password="1234@abc"
export LDAPTLS_REQCERT=never
ldapsearch -H ldaps://$ad_ip:636 -x -D $ad_user -w $ad_password -b "DC=my,DC=local" \
-s sub -a always -z 1000 "(objectClass=user)" "serviceClassName" "serviceDNSName" "objectClass"
