LDAP Policy Management Tasks
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
| Task | Permissions Required to Perform Task |
|---|---|
Configure the server to require all LDAP traffic to be signed |
The registry entry ldapserverintegrity in HKLM/System/CurrentControlSet/Services/NTDS/Parameters is modified Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Create a new Query Policy object |
CC on cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to create objects of class Query-Policy |
Modify the LDAP admin limits associated with a query policy object |
WP on the corresponding Query Policy object under cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the LDAP-Admin-Limits attribute |
Affect the LDAP query policies associated with a specific DC |
WP on the corresponding NTDS-Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the Query-Policy-Object attribute and assign as value the distinguished name of the Query-Policy object that contains the LDAP query policies that should be used for this DC |
Affect the LDAP query policies associated with all domain controllers in a site |
WP on the corresponding NTDS-Site-Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the Query-Policy-object attribute and assign as value the distinguished name of the Query-Policy object that contains the LDAP query policies that should be used for all Domain controllers in this site |
Specify the maximum time (in seconds) that the server waits for the initial request before the connection closes |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |
Specify the maximum number of concurrent LDAP connections allowed on the server |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |
Specify the maximum amount of time (in seconds) that the client is allowed to be idle before the connection is closed |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |
Specify the maximum number of concurrent search operations allowed on the server |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |
Specify the maximum number of concurrent notification requests allowed per connection on the server |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |
Specify the maximum number of objects the server will return to any single search request |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |
Specify the maximum elapsed time (in seconds) allowed for a query to complete |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |
Specify the limit (in candidate objects) of the temporary database table the server might create for intermediate results during the course of query |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |
Specify the total amount of intermediate data that the server will store for the client between the individual searches that make up a paged result search (in order to speed up the next leg of the search) |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |
Specify the maximum number of threads per processor that can be simultaneously allocated to answer LDAP requests |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |
Specify the maximum size of datagrams that can be received by the server |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |
Specify the maximum sized LDAP request (in bytes) that the server will attempt to process |
WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object - OR - WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object |