<img height="1" width="1" src="https://www.facebook.com/tr?id=1529264867168163&amp;ev=PageView &amp;noscript=1">

Active Directory Monitoring: Expensive LDAP Query Management

Lightweight Directory Access Protocol (LDAP) is a directory service protocol that is used to search for information within your Active Directory and a useful tool that can better assist you with Active Directory Monitoring. LDAP is used to search your active directory for information about users, computers, and groups within your Active Directory database. LDAP queries can be run from multiple different tools including PowerShell, ldapsearch, VB Scripts, and the saved queries feature in Active Directory Users and Computers.

In this blog post, we are going to talk about what LDAP queries are, how they work, and how you can ensure that your Active Directory is properly setup to support the quickest and most accurate LDAP queries possible. We will also cover some of the troubleshooting steps you can take when you find your getting slow results with LDAP queries in your Active Directory.

What do LDAP queries do for me?

This seems like a good place to start, no? What do LDAP queries do for me?

Anytime you search Active Directory for information like who is in a specific group, or what groups are there, or information from a specific users account, that search is completed via an LDAP query. That query may be done from within Active Directory Users and Computers (ADUC), PowerShell, or many other tools. LDAP is the protocol that Active Directory uses to answer questions about what’s in your Active Directory database.

Mostly we do not think of these searches are “LDAP queries” because we just open ADUC go to a group and see who is in that group.

You can run more customized LDAP queries from within ADUC. To do so, open ADUC…

Right click on “Saved Queries” > New > Query

In your new query, give it a name and then select “Define Query”

Now select “Custom Search” from the drop down at the top, and go to the “Advanced” tab.

Here you can enter any custom LDAP query you would like. The format for these LDAP queries is defined in RFC 4515. That being said, no one wants to figure out how to write up these LDAP queries. To make life a little easier for you, I have listed some of the LDAP queries I like to setup for customers below.

Saved ADUC Query

LDAP Filter

Users with the “Password never expires” option enabled (objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
Users who have not changed their password for more than 3 months (&(sAMAccountType=805306368)(pwdLastSet<=132161330597286610))
Find users who have “Sales” in the department field (&(objectCategory=person)(objectClass=user)(department=*sales*))
Users with the empty Profile Path attribute (objectcategory=person)(!profilepath=*)
Active user accounts with expired passwords (objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
All AD users, except disabled (objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Locked AD user accounts (objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
Users with e-mail addresses (objectcategory=person)(mail=*)
Users without e-mail addresses (objectcategory=person)(!mail=*)
Users hidden from the Exchange Address Book (GAL): (&(sAMAccountType=805306368)(msExchHideFromAddressLists=TRUE))
The list of accounts never logged on to the domain (&(objectCategory=person)(objectClass=user)(|(lastLogonTimestamp=0)(!(lastLogonTimestamp=*)))
User accounts created in a specific time period (in 2019) (&(&(objectCategory=user)(whenCreated>=20190101000000.0Z&<=20200101000000.0Z&)))
AD users created this year (&(&(&(objectClass=User)(whenCreated>=20200101000000.0Z))))
Computers running Windows 10 (&(objectCategory=computer)(operatingSystem=Windows 10*))
Computers running a specific Windows 10 build (for example Windows 10 1909 have build number 18363) (&(&(objectCategory=computer)(operatingSystem=Windows 10*)(operatingSystemVersion=*18363*)))
Find all Windows Server 2016 except domain controllers (&(&(objectCategory=computer)(!(primaryGroupId=516)))(operatingSystem=Windows Server 2016*))
All Microsoft SQL servers (&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))
All Exchange distribution groups (&(objectCategory=group)(!groupType:1.2.840.113556.1.4.803:=2147483648))
Find AD object with a specific SID (objectSID=S-1-5-21-87654321-12345678-5566443311-1231)

Troubleshooting LDAP queries

LDAP queries can be problematic when they are slow or use too many resources. The ones I have listed above are not likely to be a problem, but there are many applications that may be running LDAP queries in your AD environment that can be problems.

Troubleshooting LDAP queries that are taking excessive resources in your AD can be very difficult. TO make it a bit easier, I am going to give you a quick guide for what to do if you suspect you have LDAP queries that are causing problem. Before we get into those instructions, keep in mind that we will be turning on a high level of logging for this. It is not a great idea to leave this logging running when you are done with it.

Enable 1644 metadata collection - Configure registry keys for Field Engineering to 5 (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering)

Configure registry entries for expensive, inefficient, and long running LDAP queries -

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold DWORD 10,000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold DWORD 1,000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs) DWORD 30,000

Collect data – Once those registry settings are made on a domain controller, let it run and collect data. I would recommend about 30 minutes or so.

Analyze the data – Microsoft has a PowerShell script you can find here that will help with the analysis of this data. This PowerShell script will output your data into a CSV file you can analyze with Excel. You will be able to see information like what servers are running the problem LDAP queries, how long those queries are taking, and the resource usage of specific LDAP queries.

Wrap Up

LDAP queries can be extremely useful for gathering specifically organized information from Active Directory. When LDAP queries take too long or too many resources, troubleshooting them can be difficult. Hopefully this blog will make both using LDAP queries and troubleshooting problem queries a little bit easier for you.

Active Directory Monitoring with ENow

Active Directory as the foundation of your network, and the structure that controls access to some of the most critical resources in your organization. ENow uncovers cracks in your Active Directory that can cause a security breach or poor end user experience. In particular, ENow enables you to:

  • Report on highly privileged groups (domain admins)
  • AD replication errors
  • Identify Expensive LDAP queries
  • DNS and name resolution problems
  • Troubleshoot poor Exchange performance caused by Active Directory

Don’t take our word for it. Start your free trial today!

free 14 day trial