Each DC is treated separately.
Increase the Log Size for Directory Service
Then for a report:
$logs = Get-winevent -FilterHashTable @{ LogName = “Directory Service”; ID = 2889} $values = @()
Foreach($log in $logs){ $datasourceObject = new-object PSObject $datasourceObject | add-member -membertype NoteProperty -name “IP” -Value $log.properties[0].value.split(“:”)[0] $datasourceObject | add-member -membertype NoteProperty -name “UserBind” -Value $log.Properties[1].value
$values += $datasourceObject }
$values|Group-Object -Property IP,UserBind|Sort-Object count -Descending|Select-Object Count,Name | ForEach-Object{ [PSCustomObject]@{ ‘Ip’ = ($_.Name -split “, “)[0] ‘UserBind’ = ($_.Name -split “, “)[1] ‘Name’= (Resolve-DnsName(($_.Name -split “, “)[0])|select-object -ExpandProperty namehost) ‘Count’ = ($_.count) }} >> C:\Temp\count.csv
View the logs
Unsecure LDAP binds
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 2889 (Windows Server 2003 to 2012)
Number of daily unsecure LDAP bind
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 2887 (Windows Server 2003 to 2012)
Number of LDAP queries
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1643 (Windows Server 2003 to 2012)
Recent LDAP queries
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1644 (Windows Server 2003 to 2012)
Error from LDAP server
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1535 (Windows Server 2003 to 2012)
Time-out LDAP connection
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1317 (Windows Server 2003 to 2012)
Loading...