4.23. Modifying the Default LDAP Query Policy

Problem

You want to view or modify the default LDAP query policy of a forest. The query policy contains settings that restrict search behavior, such as the maximum number of entries that can be returned from a search.

Solution

Using a graphical user interface

  1. Open ADSI Edit.

  2. In the Configuration partition, browse to Services Windows NT Directory Service Query Policies.

  3. In the left pane, click on the Query Policies container, then right-click on the Default Query Policy object in the right pane, and select Properties.

  4. Double-click on the lDAPAdminLimits attribute.

  5. Click on the attribute you want to modify and click Remove.

  6. Modify the value in the Value to add box and click Add.

  7. Click OK twice.

Using a command-line interface

To view the current settings, use the following command:

> ntdsutil "ldap pol" conn "con to server <DomainControllerName>" q "show values"

To change the MaxPageSize value to 2000, you can do the following:

> ntdsutil "ldap pol" conn "con to server <DomainControllerName>" q
ldap policy: set MaxPageSize to 2000
ldap policy: Commit Changes

Using VBScript

' This code modifies a setting of the default query policy for a forest
' ------ SCRIPT CONFIGURATION ------
pol_attr  = "MaxPageSize" ' Set to the name of the setting you want to modify
new_value = 1000          ' Set to the value of the setting you want modify
' ------ END CONFIGURATION ---------

Const ADS_PROPERTY_APPEND = 3
Const ADS_PROPERTY_DELETE = 4

set rootDSE = GetObject("LDAP://RootDSE")
set ldapPol = GetObject("LDAP://cn=Default Query Policy,cn=Query-Policies," & _
                "cn=Directory Service,cn=Windows NT,cn=Services," & _
                rootDSE.Get("configurationNamingContext") )
set regex = new regexp
regex.IgnoreCase = true
regex.Pattern = pol_attr & "="
for Each prop In ldapPol.GetEx("ldapAdminLimits")
   if regex.Test(prop) then
      if prop = pol_attr & "=" & new_value then
         WScript.Echo pol_attr & " already equal to " & new_value
      else 
         ldapPol.PutEx ADS_PROPERTY_APPEND, "lDAPAdminLimits", _
                    Array( pol_attr & "=" & new_value )
         ldapPol.SetInfo
         ldapPol.PutEx ADS_PROPERTY_DELETE, "lDAPAdminLimits", Array(prop)
         ldapPol.SetInfo
         WScript.Echo "Set " & pol_attr & " to " & new_value
      end if
      Exit For
   end if
next

Discussion

The LDAP query policy contains several settings that control how domain controllers handle searches. By default, one query policy is defined for all domain controllers in a forest, but you can create additional ones and apply them to a specific domain controller or even at the site level (so that all domain controllers in the site use that policy).

Query policies are stored in the Configuration NC as queryPolicy objects. The default query policy is located at: cn=Default Query Policy, cn=Query-Policies, cn=Directory Service, cn=Windows NT, cn=Services, < ConfigurationPartitionDN>. The lDAPAdminLimits attribute of a queryPolicy object is multivalued and contains each setting for the policy in name-value pairs. Table 4-4 contains the available settings.

Table 4-4. LDAP query policy settings

Name

Default value

Description

MaxPoolThreads

4 per proc

Maximum number of threads that are created by the DC for query execution.

MaxDatagramRecv

4096

Maximum number of datagrams that can be simultaneously processed by the DC.

MaxReceiveBuffer

10485760

Maximum size in bytes for an LDAP request that the server will attempt to process. If the server receives a request that is larger then this value, it will close the connection.

InitRecvTimeout

120 secs

Initial receive time-out.

MaxConnections

5000

Maximum number of open connections.

MaxConnIdleTime

900 secs

Maximum amount of time a connection can be idle.

MaxActiveQueries

20

Maximum number of queries that can be active at one time.

MaxPageSize

1000

Maximum page size that is supported for LDAP responses.

MaxQueryDuration

120 secs

Maximum length of time the domain controller can execute a query.

MaxTempTableSize

10000

Maximum size of temporary storage that is allocated to execute queries.

MaxResultSetSize

262144

Maximum size of the LDAP Result Set.

MaxNotificationPerConn

5

Maximum number of notifications that a client can request for a given connection.

Since the settings are stored as name/value pairs inside a single attribute, also referred to as AVAs, the VBScript solution has to iterate over each value and use a regular expression to determine when the target setting has been found. It does this by matching <SettingName> = at the beginning of the string. See Recipe 4.16 for more on AVAs.

Warning

You should not change the default query policy in production unless you’ve done plenty of testing. Changing some of the settings may result in unexpected application or domain controller behavior.

Instead of modifying the default LDAP query policy, you can create a new one. In the Query Policies container (where the default query policy object is located), create a new queryPolicy object and set the lDAPAdminLimits attribute as just described based on the settings you want configured. Then modify the queryPolicyObject attribute on the nTDSDSA object of a domain controller you want to apply the new policy to. This can be done via the Active Directory Sites and Services snap-in by browsing to the nTDSDSA object of a domain controller (cn=NTDS Settings), right-clicking on it, and selecting Properties. You can then select the new policy from a drop-down menu beside Query Policy. Click OK to apply the new policy.

See Also

MS KB 315071 (HOW TO: View and Set Lightweight Directory Access Protocol Policies by Using Ntdsutil.exe in Windows 2000)

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.