LDAP policies


Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8

Sets the Lightweight Directory Access Protocol (LDAP) administration limits for the Default-Query Policy object. At the LDAP policies: prompt, type any of the parameters listed under Syntax.

This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.


{cancel changes | commit changes} {list | set %s1 to %s2 | show values}




cancel changes

Cancels any uncommitted modifications of the LDAP administration limits to the default query policy.

commit changes

Commits all modifications of the LDAP administration limits to the default query policy.


Invokes the Server connections submenu.


Lists all supported LDAP administration limits for the domain controller.

set %s1 to %s2

Sets the value of the LDAP administration limit %s1 to the value %s2.

show values

Shows the current and proposed values for the LDAP administration limits.


An alphanumeric variable, such as a domain or domain controller name.


Takes you back to the previous menu, or exits the utility.


Displays Help at the command prompt.


Displays Help at the command prompt.


  • The following table lists and describes the LDAP administration limits, with default values noted in parentheses.




    Initial receive time-out (120 seconds)


    Maximum number of open connections (5000)


    Maximum amount of time a connection can be idle (900 seconds)


    Maximum number of notifications that a client can request for a given connection (5)


    Maximum page size supported for LDAP responses (1000 records)


    Maximum length of time the domain controller can execute a query (120 seconds)


    Maximum size of temporary storage allocated to execute queries (10,000 records)


    Maximum size of the LDAP Result Set (262144 bytes)


    Maximum number of threads created by the domain controller for query execution (4 per processor)


    Maximum number of datagrams that can be processed by the domain controller simultaneously (1024)


    The maximum size, in bytes, of a request that the server will accept (10,485,760 bytes)


    The maximum number of values that can be retrieved from a multivalued attribute in a single search request (1500 values). This policy is available only in Windows Server 2003 and Windows Server 2008.

  • To ensure that domain controllers can support service-level guarantees, you can specify operational limits for a number of LDAP operations. These limits prevent specific operations from adversely impacting the performance of the server and also make the server resilient to denial-of-service attacks.

    LDAP policies are implemented by using objects of the class queryPolicy. Query Policy objects can be created in the container Query Policies, which is a child of the Directory Service container in the configuration directory partition, for example, CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services (configuration directory partition).

    A domain controller uses the following three mechanisms to apply LDAP policies:

    • A domain controller might refer to a specific LDAP policy. The NTDS Settings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.

    • In the absence of a specific query policy being applied to a domain controller, the domain controller applies the Query Policy that has been assigned to the domain controller's site. The ntDSSiteSettings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.

    • In the absence of a specific domain controller or site Query Policy, a domain controller uses the default query policy named Default-Query Policy.

      A Query Policy object includes the multivalued attributes LDAPIPDenyList and LDAPAdminLimits. Ntdsutil allows the administrator to set the LDAP administration limits and IP Deny list for the Default-Query Policy object.

    • Ntdsutil does not correctly handle special characters, such as the apostrophe character ('), that you can enter at the ntdsutil: prompt at the command line. In some situations, there may be an alternative workaround. For more information, see local roles.


To show the current ldap policy values, type the following command, and then press ENTER:

ldap policy: show values

Additional references

Command-Line Syntax Key



authoritative restore

configurable settings

DS behavior


group membership evaluation


LDAP policies

local roles

metadata cleanup

partition management


security account management

semantic database analysis

set DSRM password