You want to view or modify the default LDAP query policy of a forest. The query policy contains settings that restrict search behavior, such as the maximum number of entries that can be returned from a search.
Open ADSI Edit.
In the Configuration partition, browse to Services → Windows NT → Directory Service → Query Policies.
In the left pane, click on the Query Policies container, then right-click on the Default Query Policy object in the right pane, and select Properties.
Double-click on the
lDAPAdminLimits
attribute.Click on the attribute you want to modify and click Remove.
Modify the value in the Value to add box and click Add.
Click OK twice.
To view the current settings, use the following command:
> ntdsutil "ldap pol" conn "con to server <DomainControllerName
>" q "show values"
To change the MaxPageSize
value to 2000, you can
do the following:
> ntdsutil "ldap pol" conn "con to server <DomainControllerName
>" q
ldap policy: set MaxPageSize to 2000
ldap policy: Commit Changes
' This code modifies a setting of the default query policy for a forest ' ------ SCRIPT CONFIGURATION ------ pol_attr = "MaxPageSize" ' Set to the name of the setting you want to modify new_value = 1000 ' Set to the value of the setting you want modify ' ------ END CONFIGURATION --------- Const ADS_PROPERTY_APPEND = 3 Const ADS_PROPERTY_DELETE = 4 set rootDSE = GetObject("LDAP://RootDSE") set ldapPol = GetObject("LDAP://cn=Default Query Policy,cn=Query-Policies," & _ "cn=Directory Service,cn=Windows NT,cn=Services," & _ rootDSE.Get("configurationNamingContext") ) set regex = new regexp regex.IgnoreCase = true regex.Pattern = pol_attr & "=" for Each prop In ldapPol.GetEx("ldapAdminLimits") if regex.Test(prop) then if prop = pol_attr & "=" & new_value then WScript.Echo pol_attr & " already equal to " & new_value else ldapPol.PutEx ADS_PROPERTY_APPEND, "lDAPAdminLimits", _ Array( pol_attr & "=" & new_value ) ldapPol.SetInfo ldapPol.PutEx ADS_PROPERTY_DELETE, "lDAPAdminLimits", Array(prop) ldapPol.SetInfo WScript.Echo "Set " & pol_attr & " to " & new_value end if Exit For end if next
The LDAP query policy contains several settings that control how domain controllers handle searches. By default, one query policy is defined for all domain controllers in a forest, but you can create additional ones and apply them to a specific domain controller or even at the site level (so that all domain controllers in the site use that policy).
Query policies are stored in the Configuration NC as
queryPolicy
objects. The default query policy is
located at: cn=Default
Query
Policy
, cn=Query-Policies
,
cn=Directory
Service
,
cn=Windows
NT
,
cn=Services
,
<
ConfigurationPartitionDN>
.
The lDAPAdminLimits
attribute of a
queryPolicy
object is multivalued and contains
each setting for the policy in name-value pairs. Table 4-4 contains the available settings.
Table 4-4. LDAP query policy settings
Name |
Default value |
Description |
---|---|---|
MaxPoolThreads |
4 per proc |
Maximum number of threads that are created by the DC for query execution. |
MaxDatagramRecv |
4096 |
Maximum number of datagrams that can be simultaneously processed by the DC. |
MaxReceiveBuffer |
10485760 |
Maximum size in bytes for an LDAP request that the server will attempt to process. If the server receives a request that is larger then this value, it will close the connection. |
InitRecvTimeout |
120 secs |
Initial receive time-out. |
MaxConnections |
5000 |
Maximum number of open connections. |
MaxConnIdleTime |
900 secs |
Maximum amount of time a connection can be idle. |
MaxActiveQueries |
20 |
Maximum number of queries that can be active at one time. |
MaxPageSize |
1000 |
Maximum page size that is supported for LDAP responses. |
MaxQueryDuration |
120 secs |
Maximum length of time the domain controller can execute a query. |
MaxTempTableSize |
10000 |
Maximum size of temporary storage that is allocated to execute queries. |
MaxResultSetSize |
262144 |
Maximum size of the LDAP Result Set. |
MaxNotificationPerConn |
5 |
Maximum number of notifications that a client can request for a given connection. |
Since the settings are stored as name/value pairs inside a single
attribute, also referred to as AVAs, the VBScript solution has to
iterate over each value and use a regular expression to determine
when the target setting has been found. It does this by matching
<SettingName>
=
at
the beginning of the string. See Recipe 4.16
for more on AVAs.
Warning
You should not change the default query policy in production unless you’ve done plenty of testing. Changing some of the settings may result in unexpected application or domain controller behavior.
Instead of modifying the default LDAP query policy, you can create a
new one. In the Query Policies
container (where
the default query policy object is located), create a new
queryPolicy
object and set the
lDAPAdminLimits
attribute as just described based
on the settings you want configured. Then modify the
queryPolicyObject
attribute on the
nTDSDSA
object of a domain controller you want to
apply the new policy to. This can be done via the Active Directory
Sites and Services snap-in by browsing to the
nTDSDSA
object of a domain controller
(cn=NTDS
Settings
),
right-clicking on it, and selecting Properties. You can then select
the new policy from a drop-down menu beside Query Policy. Click OK to
apply the new policy.
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.