I use an ADLDS instance and have enabled "15 Field Engineering" via registry to enable debug logging in event log for LDAP queries made by clients.
So far all works great, I have created an OU on the adls server, created a user and gave him read access to query entries within this OU. As expected, the eventlog created an entry with event-id 1644 with all information.
Now I have created a second separate OU with a new separate user with read access to the new OU.
When doing LDAP queries with this user in the new OU, the eventlog is missing the event.
So far I checked the attributes on the user and OU if there is a flag for logging, but cant see on.
I have disabled and re-enabled the registry keys, restarted the server to get it working.
Is there some other option I need to activate that it works? Thought cant remember doing something special when creating the first user / OU.
After a while I came around two additional parameters to be set
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADAM_<Instance>\Parameters
There, add two additional dwords and set them to 1
"Expensive Search Results Threshold"
"Inefficient Search Results Threshold"
Restart the service and any query will be in the event log.