You want to log inefficient and expensive LDAP queries to the Directory Services event log.

To log a summary report about the total number of searches, total expensive searches, and total inefficient searches to the Directory Services event log, set the 15 Field Engineering diagnostics logging setting to 4. This summary is generated every 12 hours during the garbage collection cycle.

To log an event to the Directory Services event log every time an expensive or inefficient search occurs, set the 15 Field Engineering diagnostics logging setting to 5.

See Recipe 15.2 for more on enabling diagnostics logging.

A search is considered expensive if it has to visit a large number of objects in Active Directory. A search is considered inefficient if it returns less than 10% of the total objects it visits. The default threshold for an expensive query is 10,000. That means any search that visits 10,000 or more objects would be considered expensive. The default bottom limit for an inefficient query is 1,000. If a query visited 1,000 objects and only returned 99 of them (less than 10%), it would be considered inefficient. If it returned 900 instead, it would not be considered inefficient. To summarize, with 1,000 being the default bottom threshold, no search that visits less than 1,000 entries (even if it visited 999 and returned 0) would be considered inefficient.

Here is an example summary report event that is ...