LDAP Policy Management Tasks

Windows Server TechCenter

Printer Friendly Version

Send

TechNet Library

TechNet Library

Windows Server 2003

Windows Server 2003: Deployment Whi...

Best Practices for Delegating Activ...

Best Practices for Delegating Activ...

Appendix A: Active Directory Admini...

Active Directory Service Administra...

LDAP Policy Management Tasks

LDAP Policy Management Tasks

Updated: December 5, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Task	Permissions Required to Perform Task
Configure the server to require all LDAP traffic to be signed	The registry entry ldapserverintegrity in HKLM/System/CurrentControlSet/Services/NTDS/Parameters is modified Thus, appropriate permissions required to modify this registry key will be required to delegate the operation
Create a new Query Policy object	CC on cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to create objects of class Query-Policy
Modify the LDAP admin limits associated with a query policy object	WP on the corresponding Query Policy object under cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the LDAP-Admin-Limits attribute
Affect the LDAP query policies associated with a specific DC	WP on the corresponding NTDS-Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the Query-Policy-Object attribute and assign as value the distinguished name of the Query-Policy object that contains the LDAP query policies that should be used for this DC
Affect the LDAP query policies associated with all domain controllers in a site	WP on the corresponding NTDS-Site-Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the Query-Policy-object attribute and assign as value the distinguished name of the Query-Policy object that contains the LDAP query policies that should be used for all Domain controllers in this site
Specify the maximum time (in seconds) that the server waits for the initial request before the connection closes	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object
Specify the maximum number of concurrent LDAP connections allowed on the server	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object
Specify the maximum amount of time (in seconds) that the client is allowed to be idle before the connection is closed	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object
Specify the maximum number of concurrent search operations allowed on the server	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object
Specify the maximum number of concurrent notification requests allowed per connection on the server	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object
Specify the maximum number of objects the server will return to any single search request	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object
Specify the maximum elapsed time (in seconds) allowed for a query to complete	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object
Specify the limit (in candidate objects) of the temporary database table the server might create for intermediate results during the course of query	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object
Specify the total amount of intermediate data that the server will store for the client between the individual searches that make up a paged result search (in order to speed up the next leg of the search)	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object
Specify the maximum number of threads per processor that can be simultaneously allocated to answer LDAP requests	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object
Specify the maximum size of datagrams that can be received by the server	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object
Specify the maximum sized LDAP request (in bytes) that the server will attempt to process	WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Tags

What's this?

: Add a tag

Community Content

What is Community Content?

Add new content

Annotations

Processing

© 2010 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement