Have you ever wondered what LDAP queries were hitting your domain controllers? Even outside of fun investigations, it can be insightful to get a sampling of queries hitting your domain controller. The more services you have integrated with Active Directory, the more likely a vendor or sysadmin unwittingly configured their service to produce evil queries.
Mark Morowczynski from Microsoft wrote a great post on finding these expensive, inefficient, or long running queries - But something was missing. Screen shots of regedit? If you have more than a handful of domain controllers, enabling and disabling this logging is going to be quite a chore.
Here's a quick bit on using PowerShell to enable and disable this logging quickly. Take a peek, you might find some misbehaving applications.