4.23.1 ProblemYou want to view or modify the default LDAP query policy of a forest. The query policy contains settings that restrict search behavior, such as the maximum number of entries that can be returned from a search. 4.23.2 Solution4.23.2.1 Using a graphical user interface
4.23.2.2 Using a command-line interfaceTo view the current settings, use the following command: > ntdsutil "ldap pol" conn "con to server <DomainControllerName>" q "show values" To change the MaxPageSize value to 2000, you can do the following: > ntdsutil "ldap pol" conn "con to server <DomainControllerName>" q ldap policy: set MaxPageSize to 2000 ldap policy: Commit Changes 4.23.2.3 Using VBScript' This code modifies a setting of the default query policy for a forest ' ------ SCRIPT CONFIGURATION ------ pol_attr = "MaxPageSize" ' Set to the name of the setting you want to modify new_value = 1000 ' Set to the value of the setting you want modify ' ------ END CONFIGURATION --------- Const ADS_PROPERTY_APPEND = 3 Const ADS_PROPERTY_DELETE = 4 set rootDSE = GetObject("LDAP://RootDSE") set ldapPol = GetObject("LDAP://cn=Default Query Policy,cn=Query-Policies," & _ "cn=Directory Service,cn=Windows NT,cn=Services," & _ rootDSE.Get("configurationNamingContext") ) set regex = new regexp regex.IgnoreCase = true regex.Pattern = pol_attr & "=" for Each prop In ldapPol.GetEx("ldapAdminLimits") if regex.Test(prop) then if prop = pol_attr & "=" & new_value then WScript.Echo pol_attr & " already equal to " & new_value else ldapPol.PutEx ADS_PROPERTY_APPEND, "lDAPAdminLimits", _ Array( pol_attr & "=" & new_value ) ldapPol.SetInfo ldapPol.PutEx ADS_PROPERTY_DELETE, "lDAPAdminLimits", Array(prop) ldapPol.SetInfo WScript.Echo "Set " & pol_attr & " to " & new_value end if Exit For end if next 4.23.3 DiscussionThe LDAP query policy contains several settings that control how domain controllers handle searches. By default, one query policy is defined for all domain controllers in a forest, but you can create additional ones and apply them to a specific domain controller or even at the site level (so that all domain controllers in the site use that policy). Query policies are stored in the Configuration NC as queryPolicy objects. The default query policy is located at: cn=Default Query Policy, cn=Query-Policies, cn=Directory Service, cn=Windows NT, cn=Services, <ConfigurationPartitionDN>. The lDAPAdminLimits attribute of a queryPolicy object is multivalued and contains each setting for the policy in name-value pairs. Table 4-4 contains the available settings.
Since the settings are stored as name/value pairs inside a single attribute, also referred to as AVAs, the VBScript solution has to iterate over each value and use a regular expression to determine when the target setting has been found. It does this by matching <SettingName>= at the beginning of the string. See Recipe 4.16 for more on AVAs.
Instead of modifying the default LDAP query policy, you can create a new one. In the Query Policies container (where the default query policy object is located), create a new queryPolicy object and set the lDAPAdminLimits attribute as just described based on the settings you want configured. Then modify the queryPolicyObject attribute on the nTDSDSA object of a domain controller you want to apply the new policy to. This can be done via the Active Directory Sites and Services snap-in by browsing to the nTDSDSA object of a domain controller (cn=NTDS Settings), right-clicking on it, and selecting Properties. You can then select the new policy from a drop-down menu beside Query Policy. Click OK to apply the new policy. 4.23.4 See AlsoMS KB 315071 (HOW TO: View and Set Lightweight Directory Access Protocol Policies by Using Ntdsutil.exe in Windows 2000) |