Export (0) Print
Expand All

LDAP Policy Management Tasks

Updated: December 5, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

 

Task Permissions Required to Perform Task

Configure the server to require all LDAP traffic to be signed

The registry entry ldapserverintegrity in HKLM/System/CurrentControlSet/Services/NTDS/Parameters is modified

Thus, appropriate permissions required to modify this registry key will be required to delegate the operation

Create a new Query Policy object

CC on cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to create objects of class Query-Policy

Modify the LDAP admin limits associated with a query policy object

WP on the corresponding Query Policy object under cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the LDAP-Admin-Limits attribute

Affect the LDAP query policies associated with a specific DC

WP on the corresponding NTDS-Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the Query-Policy-Object attribute and assign as value the distinguished name of the Query-Policy object that contains the LDAP query policies that should be used for this DC

Affect the LDAP query policies associated with all domain controllers in a site

WP on the corresponding NTDS-Site-Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the Query-Policy-object attribute and assign as value the distinguished name of the Query-Policy object that contains the LDAP query policies that should be used for all Domain controllers in this site

Specify the maximum time (in seconds) that the server waits for the initial request before the connection closes

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Specify the maximum number of concurrent LDAP connections allowed on the server

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Specify the maximum amount of time (in seconds) that the client is allowed to be idle before the connection is closed

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Specify the maximum number of concurrent search operations allowed on the server

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Specify the maximum number of concurrent notification requests allowed per connection on the server

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Specify the maximum number of objects the server will return to any single search request

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Specify the maximum elapsed time (in seconds) allowed for a query to complete

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Specify the limit (in candidate objects) of the temporary database table the server might create for intermediate results during the course of query

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Specify the total amount of intermediate data that the server will store for the client between the individual searches that make up a paged result search (in order to speed up the next leg of the search)

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Specify the maximum number of threads per processor that can be simultaneously allocated to answer LDAP requests

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Specify the maximum size of datagrams that can be received by the server

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Specify the maximum sized LDAP request (in bytes) that the server will attempt to process

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on cn=<Referenced Query Policy>,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute of the corresponding NTDS-Site-Settings object is defined and references the <Referenced Query Policy> object

- OR -

WP on the object cn=Default Query Policy,cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<forestRootDomain> to modify the ldapAdminLimits attribute IF the Query-Policy attribute is not defined on either the corresponding NTDS-Settings object or the NTDS-Site-Settings object

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft