3.1.1.3.4.6 LDAP Policies

  • Article

The DC's LDAP interface supports various policies that can be configured by an administrator. The names of these policies are listed on the supportedLDAPPolicies attribute on the rootDSE. These policies are listed in the following table. The table also lists which applicable Windows Server releases and Active Directory Application Mode (ADAM) versions support which policies.

The table contains information for the following products. See section 3 for more information.

  • A --> Windows 2000 operating system

  • D --> Windows Server 2003 operating system

  • DR2 --> Windows Server 2003 R2 operating system

  • G --> ADAM

  • J --> Windows Server 2008 operating system

  • M --> Windows Server 2008 R2 operating system

  • R --> Windows Server 2012 operating system

  • U --> Windows Server 2012 R2 operating system

  • X --> Windows Server 2016 operating system

  • A2 --> Windows Server v1709 operating system

  • D2 --> Windows Server v1803 operating system

  • G2 --> Windows Server v1809 operating system

  • J2 --> Windows Server 2019 operating system

    Policy name

    A

    D, DR2, G, J

    M

    R

    U

    X, A2, D2, G2, J2

    MaxActiveQueries

    X*

    InitRecvTimeout

    X

    X

    X

    X

    X

    X

    MaxConnections

    X

    X

    X

    X

    X

    X

    MaxConnIdleTime

    X

    X

    X

    X

    X

    X

    MaxDatagramRecv

    X

    X

    X

    X

    X

    X

    MaxNotificationPerConn

    X

    X

    X

    X

    X

    X

    MaxPoolThreads

    X

    X

    X

    X

    X

    X

    MaxReceiveBuffer

    X

    X

    X

    X

    X

    X

    MaxPageSize

    X

    X

    X

    X

    X

    X

    MaxQueryDuration

    X

    X

    X

    X

    X

    X

    MaxResultSetSize

    X

    X

    X

    X

    X

    X

    MaxTempTableSize

    X

    X

    X

    X

    X

    X

    MaxValRange

    X

    X

    X

    X

    X

    MaxResultSetsPerConn

    X

    X

    X

    X

    MinResultSets

    X

    X

    X

    X

    MaxBatchReturnMessages

    X

    X

    X

    MaxPercentDirSyncRequest

    X

    X

    MaxValRangeTransitive

    X

    X

    ThreadMemoryLimit

    X

    X

    SystemMemoryLimitPercent

    X

    X

    MaxDirSyncDuration

    X

    SecurityDescriptorWarningSize**


* Support for this policy was removed in Windows Server 2003.

** Support for this policy exists only on Windows 11, version 22H2 operating system and later.

LDAP policies are specified using the lDAPAdminLimits attribute. The lDAPAdminLimits attribute of a queryPolicy object is a multivalued string where each string value encodes a name-value pair. In the encoding, the name and value are separated by an "=". For example, the encoding of the name "MaxActiveQueries" with value "0" is "MaxActiveQueries=0". Each name is the name of an LDAP policy, and the value is a value of that policy.

There can be multiple queryPolicy objects in a forest. A DC determines the queryPolicy object that contains its policies according to the following logic:

  • If the queryPolicyObject attribute is present on the DC's nTDSDSA object, the DC uses the queryPolicy object referenced by it.

  • Otherwise, if the queryPolicyObject attribute is present on the nTDSSiteSettings object for the site to which the DC belongs, the DC uses the queryPolicy object referenced by it.

  • Otherwise, the DC uses the queryPolicy object whose DN is "CN=Default Query Policy,CN=Query-Policies" relative to the nTDSService object (for example, "CN=Default Query Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services" relative to the root of the config NC).

The effect of setting an LDAP policy is outside the state model. The effect of each policy, as well as the default value used if the policy's value is not specified in an lDAPAdminLimits attribute, is shown in the following table.

Policy name

Default value

Description

MaxActiveQueries

20

The maximum number of concurrent LDAP search operations that are permitted to run at the same time on a DC. When this limit is reached, the DC returns a busy / ERROR_DS_ADMIN_LIMIT_EXCEEDED error.

InitRecvTimeout

120

The maximum time, in seconds, that a DC waits for the client to send the first request after the DC receives a new connection. If the client does not send the first request in this amount of time, the server disconnects the client.

MaxConnections

5000

The maximum number of simultaneous LDAP connections that a DC will accept. If a connection comes in after the DC reaches this limit, the DC will drop another connection. The connection that is selected to drop is not constrained by the protocol and is determined based on the implementation.

MaxConnIdleTime

900

The maximum time, in seconds, that the client can be idle before the DC closes the connection. If a connection is idle for more than this time, the DC disconnects the client.

MaxDatagramRecv

4096

The maximum size, in bytes, of a UDP datagram request that a DC will process. Requests that are larger than this value are ignored by the DC.

MaxNotificationPerConn

5

The maximum number of outstanding notification search requests (using the LDAP_SERVER_NOTIFICATION_OID control) that the DC permits on a single connection. When this limit is reached, the server returns an adminLimitExceeded / ERROR_DS_ADMIN_LIMIT_EXCEEDED errorĀ  to any new notification searches that are requested on that connection.

MaxPoolThreads

4

The maximum number of threads per processor that a DC dedicates to listening for network input or output. This value also determines the maximum number of threads per processor that can work on LDAP requests at the same time.

MaxReceiveBuffer

10,485,760

The maximum size, in bytes, of a request that the server will accept. If the server receives a request that is larger than this, it will drop the connection.

MaxPageSize

1000

The maximum number of objects that are returned in a single search result, independent of how large each returned object is. To perform a search where the result might exceed this number of objects, the client MUST specify the paged search control.

MaxQueryDuration

120

The maximum time, in seconds, that a DC will spend on a single search or batched LDAP extended operation (in Windows Server 2012 and later). When this limit is reached, the DC returns a timeLimitExceeded / ERROR_INVALID_PARAMETER error.

MaxResultSetSize

262,144

The maximum number of bytes that a DC stores to optimize the individual searches that make up a paged search. The data that is stored is outside the state model and is implementation-specific.

MaxTempTableSize

10,000

The maximum number of rows that a DC will create in a temporary database table to hold intermediate results during query processing.

MaxValRange

1500

The maximum number of values that can be retrieved from a multivalued attribute in a single search request. Windows 2000 DCs do not support this policy and instead always use a setting of 1000 values.

MaxResultSetsPerConn

10

The maximum number of individual paged searches per LDAP connection for which a DC will store optimization data. The data that is stored is outside the state model and is implementation-specific.

MinResultSets

3

The minimum number of individual paged searches for which a DC will store optimization data. The data that is stored is outside the state model and is implementation-specific.

MaxBatchReturnMessages

1100

The maximum number of messages that can be returned when processing an LDAP_SERVER_BATCH_REQUEST_OID extended operation (section 3.1.1.3.4.2.5).

MaxPercentDirSyncRequests

100

The maximum percentage of LDAP threads that can be performing a search using the LDAP_SERVER_DIRSYNC_OID or LDAP_SERVER_DIRSYNC_EX_OID at one time.

MaxValRangeTransitive

4500

The maximum number of values that can be retrieved from one of the following multivalued, constructed attributes in a single search request:

3.1.1.4.5.19 - tokenGroups, tokenGroupsNoGCAcceptable

3.1.1.4.5.42 - msds-tokenGroupNames, msds-tokenGroupNamesNoGCAcceptable

3.1.1.4.5.43 - msds-tokenGroupNamesGlobalAndUniversal

3.1.1.4.5.20 - tokenGroupsGlobalAndUniversal

This policy is effective only when the fTreatTokenGroupsAsLDAPTransitiveAttribute dsHeuristic is TRUE (section 6.1.1.2.4.1.2).

Note: The ability to use LDAP limits to configure the maximum number of objects retrievable by the msds-TokenGroup* family constructed attributes, is supported in Windows 11 v22H2 and later, and in the operating systems specified in [MSKB-5011543], [MSKB-5011551], [MSKB-5011558], and [MSKB-5011563], each with the corresponding KB package installed.

This policy is significant on Windows 10 v1903 operating system and later and Windows Server v1903 operating system and later. It otherwise has no significance.

ThreadMemoryLimit

none

This policy affects implementation-specific memory allocation and limits.

SystemMemoryLimitPercent

none

This policy affects implementation-specific memory allocation and limits.

MaxDirSyncDuration

60

The maximum time, in seconds, that a DC will spend on a single search when using the LDAP_SERVER_DIRSYNC_OID or LDAP_SERVER_DIRSYNC_EX_OID controls. When this limit is reached, the DC returns a timeLimitExceeded / ERROR_INVALID_PARAMETER error.

SecurityDescriptorWarningSize

61,440

This policy controls when warning events will be logged for originating writes to the ntSecurityDescriptor attribute that meet or exceed the configured size value.