0

How can I determine which PCs bind via LDAP with a specific username? Finding out IP addresses would be fantastic, but any clues will help.

Server: Windows 2012 R2 (AD Schema Version 69)
Clients: virtually anything ranging from generic web-apps to ancient software on non-x86; I cannot examine each of them.

There are several accounts in AD that I would love to get rid off. However they are still used by some services somewhere in the existing infrastructure. These services should receive new credentials. It's virtually impossible to get any information from users by asking, not unless something gets disabled, some service goes down and as result somebody throwing a hysterical tantrum :) Therefore I'm looking for alternative options.

Art
  • 123
  • 7
  • You can examine the event logs on all the Domain Controllers in your environment. That will tell you which computers the logons are coming from. Then you can look at the processes and scheduled tasks on those computers. – EBGreen Jun 11 '18 at 13:44
  • @EBGreen Where in the logs can I see LDAP binds? Do I need to configure something for it? (I don't know much about Windows...) In the security log I can see object modifications, but not log in attempts. – Art Jun 11 '18 at 15:03
  • 1
    Look for event ID 4768 I think. I don't remember which source it comes from off the top of my head, but that should be the authentication request event. – EBGreen Jun 11 '18 at 15:28
  • 1
    When revieiwing the security logs on a domain controller, Success Audit authentication events for LDAP Binds appear to originate from the Domain Controller; having the calling computername of the Domain Controller itselfand a calling IP address of 127.0.0.1. Normal logon events should reference the correct calling computer name and address. – Semicolon Jun 11 '18 at 16:00
  • https://serverfault.com/questions/193100/log-ldap-access-of-the-active-directory – natxo asenjo Jun 23 '18 at 08:33

0 Answers0