Export (0) Print
Expand All
ANR
PKT
RDN
Rid
uid
Expand Minimize

DS-Heuristics attribute

Contains global settings for the entire forest.

There is information about adminSDholder exclusion bits available on the Microsoft Help and Support website in an article number 817433, Delegated permissions are not available and inheritance is automatically disabled.

CNDS-Heuristics
Ldap-Display-NamedSHeuristics
Size-
Update Privilege-
Update Frequency-
Attribute-Id1.2.840.113556.1.2.212
System-Id-Guidf0f8ff86-1191-11d0-a060-00aa006c33ed
Syntax String(Unicode)

Implementations

Windows 2000 Server

Link-Id-
MAPI-Id-
System-OnlyFalse
Is-Single-ValuedTrue
Is IndexedFalse
In Global CatalogFalse
NT-Security-DescriptorO:BAG:BAD:S:
Range-Lower-
Range-Upper-
Search-Flags0x00000000
System-Flags0x00000010
Classes used in NTDS-Service

Windows Server 2003

Link-Id-
MAPI-Id-
System-OnlyFalse
Is-Single-ValuedTrue
Is IndexedFalse
In Global CatalogFalse
NT-Security-DescriptorO:BAG:BAD:S:
Range-Lower-
Range-Upper-
Search-Flags0x00000000
System-Flags0x00000010
Classes used in NTDS-Service

ADAM

Link-Id-
MAPI-Id-
System-OnlyFalse
Is-Single-ValuedTrue
Is IndexedFalse
In Global CatalogFalse
NT-Security-DescriptorO:BAG:BAD:S:
Range-Lower-
Range-Upper-
Search-Flags0x00000000
System-Flags0x00000010
Classes used in NTDS-Service

Windows Server 2003 R2

Link-Id-
MAPI-Id-
System-OnlyFalse
Is-Single-ValuedTrue
Is IndexedFalse
In Global CatalogFalse
NT-Security-DescriptorO:BAG:BAD:S:
Range-Lower-
Range-Upper-
Search-Flags0x00000000
System-Flags0x00000010
Classes used in NTDS-Service

Windows Server 2008

Link-Id-
MAPI-Id-
System-OnlyFalse
Is-Single-ValuedTrue
Is IndexedFalse
In Global CatalogFalse
NT-Security-DescriptorO:BAG:BAD:S:
Range-Lower-
Range-Upper-
Search-Flags0x00000000
System-Flags0x00000010
Classes used in NTDS-Service

Windows Server 2008 R2

Link-Id-
MAPI-Id-
System-OnlyFalse
Is-Single-ValuedTrue
Is IndexedFalse
In Global CatalogFalse
NT-Security-DescriptorO:BAG:BAD:S:
Range-Lower-
Range-Upper-
Search-Flags0x00000000
System-Flags0x00000010
Classes used in NTDS-Service

Windows Server 2012

Link-Id-
MAPI-Id-
System-OnlyFalse
Is-Single-ValuedTrue
Is IndexedFalse
In Global CatalogFalse
NT-Security-DescriptorO:BAG:BAD:S:
Range-Lower-
Range-Upper-
Search-Flags0x00000000
System-Flags0x00000010
Classes used in NTDS-Service

Remarks

Each Active Directory forest contains a DS-Heuristics attribute that contains settings for the entire forest. The DS-Heuristics attribute is an attribute of the "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,<Domain>" object.

DS-Heuristics is a Unicode string in which each character contains a value for a single domain-wide setting. The DS-Heuristics string takes the following format.


| <1> | <2> | <3> | <4> | <5> | <6> | <7> | <8> | <9> | <10> | <11> | <12> | <13> |

To provide data validation, each tenth character is set to the character number divided by ten. For example, the tenth character is '1'; the twentieth character is '2', and so on.

Any character that is not set is assumed to be a '0'. If the DS-Heuristics attribute is not set, all values are assumed to be '0'. There are currently only 13 characters being used and it is not necessary to pad the string to fill all 13 characters. For example, if the highest character being used is 7, then the string "0000002" is acceptable.

Each character has the following meaning:

  1. Adjusts the behavior of Ambiguous Name Resolution (ANR) search filters. Characters 1, 2 and 4 are used for this purpose. See the ANR Search Filters section for additional information about these characters.
  2. Adjusts the behavior of Ambiguous Name Resolution (ANR) search filters. Characters 1, 2 and 4 are used for this purpose. See the ANR Search Filters section below for additional information on these characters.
  3. Enforces the list object rights. If this character is '0', a user must have the ADS_RIGHT_ACTRL_DS_LIST right on the parent object to list any child objects. If the user does not have this right on the parent, none of the child objects can be listed. If this character is set to '1' then Active Directory will honor the ADS_RIGHT_ACTRL_DS_LIST right for specific child objects even if the user does not have this right on the parent. Setting this character to '1' can greatly increase the number of access check calls that are made, and can have a significant negative effect on performance.
  4. Adjusts the behavior of Ambiguous Name Resolution (ANR) search filters. Characters 1, 2, and 4 are used for this purpose. See the ANR Search Filters section for additional information about these characters.
  5. Reserved for internal use.
  6. Reserved for internal use.
  7. Controls whether anonymous operations other than a rootDSE search will be allowed through LDAP. If this character is set to '2', anonymous clients will be able to perform any operation that is permitted by the ACL. If this character is set to any other value, anonymous clients are only allowed to perform rootDSE searches and binds.
  8. Used internally.
  9. Controls the behavior of the User-Password attribute. In Windows 2000, the User-Password attribute acted like a normal string attribute that could be read and updated normally. If this character is set to '1' then Windows Server 2003 servers will treat the User-Password attribute as a real password attribute. This means that updates to the attribute will require the appropriate change-password permissions and the attribute will not be readable. In Active Directory Application Mode (ADAM), the default is to treat User-Password as a real password attribute. If this character is set to '2', the Windows Server 2003 servers will revert to the Windows 2000 behavior.
  10. Always '1' for data validation.
  11. Reserved for internal use.
  12. Reserved for internal use.
  13. ADAM only. If this character is set to anything but '0', then password operations are allowed over a non-secure LDAP connection.

ANR Search Filters

Characters 1, 2, and 4 are used to modify the behavior of ANR search filters. If character 1 is set to '1', then the expansion of the ANR filter to include GivenName - Surname (when space is found) is disabled. If character 2 is set to '1', the expansion of the ANR filter to include Surname - GivenName is disabled. If an embedded space is present in the search string, the search string will normally be divided into two strings, which are compared pair-wise against the GivenName and Surname attributes. Setting characters 1 and 2 to '1' will prevent those matches from being attempted. This matching might be disabled if the administrator is confident that searches for "Jeff Smith" would always be provided as "jeff smith" and not "smith, jeff". Normally only one or the other match would be suppressed, according to local convention.

If the character 4 is set to '1' then Active Directory will perform "pre-emptive nickname resolution". That is, if the search string exactly matches the nickname of exactly one object in the search scope, that one object is returned as the result of the search, and the rest of ANR is skipped. Note that while the rest of ANR searching is available through LDAP, pre-emptive nickname resolution (also known as "nickname snap") is available only through MAPI.

 

 

Show:
© 2014 Microsoft