6.1.1.2.4.1.2 dSHeuristics

dSHeuristics is a Unicode string attribute. Each character in the string represents a heuristic that is used to determine the behavior of Active Directory. These heuristics are described partly in this section and partly elsewhere in this specification.

The following constraints apply to the dSHeuristics string:

  • The order of the characters in the string is fixed; characters can be omitted only by truncating the string.

  • By default, the dSHeuristics attribute does not exist and, unless otherwise specified, the default value of each character in the dSHeuristics string is "0".

  • When modifying an existing dSHeuristics string, the values of all existing characters that are not of interest to the modification MUST be preserved.

These constraints are illustrated by the following examples.

  1. If dSHeuristics is not present or has length of zero, then the fSupFirstLastANR heuristic is FALSE.

  2. If dSHeuristics is only two Unicode characters long, then the fDoListObject heuristic, which would be represented by the third character in the string, is FALSE.

  3. Consider a scenario where the fSupFirstLastANR, fSupLastFirstANR, and fDoNickRes heuristics are required for certain system behaviors. The dSHeuristics string would consist of at least four characters, fSupFirstLastANR, fSupLastFirstANR, fDoListObject, and fDoNickRes, even though the fDoListObject heuristic is not needed. An implementer would set the fDoListObject character to the default value of "0" as described earlier.

  4. Consider a scenario where anonymous LDAP operations to Active Directory need to be enabled. In this scenario, the seventh character of the dSHeuristics string, fLDAPBlockAnonOps, would be set to character "2". If the dSHeuristics string was already in existence before this operation, no characters in the dSHeuristics string other than the seventh character would be modified. If the dSHeuristics string did not yet exist before this operation, the first through sixth characters would be set to their default values, resulting in a dSHeuristics string of "0000002" in this case.

The following table describes the characters of the dSHeuristics string.

Character number

Character name

Description

1

fSupFirstLastANR

If this character is "0", then the fSupFirstLastANR heuristic is FALSE; otherwise, the fSupFirstLastANR heuristic is TRUE.

Section 3.1.1.3.1.3.4 specifies the effects of this heuristic.

2

fSupLastFirstANR

If this character is "0", then the fSupLastFirstANR heuristic is FALSE; otherwise, the fSupLastFirstANR heuristic is TRUE.

Section 3.1.1.3.1.3.4 specifies the effects of this heuristic.

3

fDoListObject

If this character is "1", then the fDoListObject heuristic is TRUE; otherwise, the fDoListObject heuristic is FALSE.

Section 5.1.3.2 specifies the effects of this heuristic.

4

fDoNickRes

If this character is "0", then the fDoNickRes heuristic is FALSE; otherwise, the fDoNickRes heuristic is TRUE.

The effects of the fDoNickRes heuristic are outside the state model. If the fDoNickRes heuristic is TRUE, an ANR request via MAPI attempts an exact match against the MAPI nickname attribute (the attribute with mAPIID equal to 0x3A00) before performing an ANR search (see section 3.1.1.3.1.3.4).

5

fLDAPUsePermMod

If this character is "0", then the fLDAPUsePermMod heuristic is FALSE; otherwise, the fLDAPUsePermMod heuristic is TRUE.

If the fLDAPUsePermMod heuristic is TRUE, then all LDAP Modify operations behave as if the LDAP_SERVER_PERMISSIVE_MODIFY_OID control was passed. Section 3.1.1.3.4.1.8 specifies the effects of the LDAP_SERVER_PERMISSIVE_MODIFY_OID control.

6

ulHideDSID

The ulHideDSID heuristic equates to the numeric value of this character; that is, character "0" equates to 0, character "1" equates to 1, and so on.

The ulHideDSID heuristic controls when DSIDs are returned in the LDAP extended error string when an operation encounters an error. If the heuristic is 0, then DSIDs will be returned at all times. If the heuristic is 1, then DSIDs will be returned as long as the error is not a name error where different DSIDs can reveal the existence of an object that is not visible to the client. If the heuristic is anything but 0 or 1, then DSIDs will not be returned at all.

A DSID consists of the string "DSID-", followed by an implementation-specific 32-bit integer expressed in hexadecimal. The integer identifies the execution point at which an error occurred.

7

fLDAPBlockAnonOps

If this character is "2", then the fLDAPBlockAnonOps heuristic is FALSE; otherwise, the fLDAPBlockAnonOps heuristic is TRUE. If this character is not present in the string, it defaults to "2" when the DC functional level is less than DS_BEHAVIOR_WIN2003, and to "0" otherwise.

Section 5.1.3 specifies the effects of this heuristic.

8

fAllowAnonNSPI

If this character is "0", then the fAllowAnonNSPI heuristic is FALSE; otherwise, the fAllowAnonNSPI heuristic is TRUE.

If the fAllowAnonNSPI heuristic is TRUE, allow anonymous calls to the name service provider interface (NSPI) RPC bind method. Otherwise, only allow authenticated clients.

9

fUserPwdSupport

If this character is neither "0" nor "2", then the fUserPwdSupport heuristic is TRUE. If this character is "2", then the fUserPwdSupport heuristic is FALSE. If this character is "0", then the fUserPwdSupport heuristic is FALSE for AD DS and TRUE for AD LDS.

Sections 3.1.1.3.1.5.2 and 3.1.1.4.4 specify the effects of this heuristic.

10

tenthChar

When setting dSHeuristics to a value that is 10 or more Unicode characters long, if the value of tenthChar is not character "1", the server rejects the update. See section 3.1.1.5.3.2.

11

fSpecifyGUIDOnAdd

If this character is "0", then the fSpecifyGUIDOnAdd heuristic is FALSE; otherwise, the fSpecifyGUIDOnAdd heuristic is TRUE.

The fSpecifyGUIDOnAdd heuristic applies only to AD DS. AD LDS always treats this heuristic as if the character is "0"; that is, as if the fSpecifyGUIDOnAdd heuristic is FALSE.

Section 3.1.1.5.2.2 specifies the effects of this heuristic.

12

fDontStandardizeSDs

If this character is "0", then the fDontStandardizeSDs heuristic is FALSE; otherwise, the fDontStandardizeSDs heuristic is TRUE.

Section 6.1.3 specifies the effects of this heuristic.

13

fAllowPasswordOperationsOverNonSecureConnection

If this character is "0", then the fAllowPasswordOperationsOverNonSecureConnection heuristic is FALSE; otherwise, the fAllowPasswordOperationsOverNonSecureConnection heuristic is TRUE.

The fAllowPasswordOperationsOverNonSecureConnection heuristic applies only to AD LDS.

Sections 3.1.1.3.1.5.1, 3.1.1.5.2.2, and 3.1.1.5.3.2 specify the effects of this heuristic.

14

fDontPropagateOnNoChangeUpdate

If this character is "0", then the fDontPropagateOnNoChangeUpdate heuristic is FALSE; otherwise, the fDontPropagateOnNoChangeUpdate heuristic is TRUE.

If the fDontPropagateOnNoChangeUpdate heuristic is TRUE, when the nTSecurityDescriptor attribute of an object is set to a value that is bitwise identical to the current value, no work item is enqueued for the task that updates the security descriptors on the children of a modified object in order to propagate inherited ACEs (section 6.1.3). If the fDontPropagateOnNoChangeUpdate heuristic is FALSE, a work item is always enqueued when the nTSecurityDescriptor attribute is modified.

The fDontPropagateOnNoChangeUpdate heuristic applies to Windows Server 2008 operating system and later. Windows 2000 Server operating system through Windows Server 2003 R2 operating system versions of Active Directory behave as if the fDontPropagateOnNoChangeUpdate heuristic is FALSE.

15

fComputeANRStats

If this character is "0", then the fComputeANRStats heuristic is FALSE; otherwise, the fComputeANRStats heuristic is TRUE.

The effects of the fComputeANRStats heuristic are outside the state model. If the fComputeANRStats heuristic is TRUE, ANR searches (section 3.1.1.3.1.3.4) are optimized using cardinality estimates like all other searches.

16

dwAdminSDExMask

The valid values for this character are from the set "0"–"9" and "a"–"f". The dwAdminSDExMask heuristic equals the character interpreted as a hex digit and converted into a 4-bit value (that is, "1"=0x1, "f"=0xF).

Section 3.1.1.6.1 specifies the effects of this heuristic.

17

fKVNOEmuW2K

If this character is "0", then the fKVNOEmuW2K heuristic is FALSE; otherwise, the fKVNOEmuW2K heuristic is TRUE.

Section 3.1.1.4.5.16 specifies the effects of this heuristic.

18

fLDAPBypassUpperBoundsOnLimits

If this character is "0", then the fLDAPBypassUpperBoundsOnLimits heuristic is FALSE; otherwise, the fLDAPBypassUpperBoundsOnLimits heuristic is TRUE.

If the fLDAPBypassUpperBoundsOnLimits heuristic is FALSE, DCs impose implementation-dependent limits when interpreting values of the LDAP policies specified in section 3.1.1.3.4.6. If the configured policy value exceeds the limit, the DC ignores the policy value and instead uses the implementation-dependent limit.

This heuristic applies to Windows Server 2008 and later. Windows 2000 Server through Windows Server 2003 R2 versions of Active Directory do not impose any such limits.

19

fDisableAutoIndexingOnSchemaUpdate

If this character is "0", then the fDisableAutoIndexingOnSchemaUpdate heuristic is FALSE; otherwise, the DisableAutoIndexingOnSchemaUpdate heuristic is TRUE. The effects of the fDisableAutoIndexingOnSchemaUpdate heuristic are outside the state model.

If the fDisableAutoIndexingOnSchemaUpdate heuristic is FALSE, DCs can initiate index creation upon detection of index-related changes to the searchFlags attribute (see section 2.2.10). If the fDisableAutoIndexingOnSchemaUpdate heuristic is TRUE, it is a hint to DCs that index creation can be delayed upon detection of index-related changes to the searchFlags attribute until either an administrator issues the schemaUpdateNow rootDSE modify operation, the DC is rebooted, or an implementation-dependent time period has elapsed.

This heuristic applies to Windows Server 2012 operating system and later. Windows 2000 Server through Windows Server 2008 R2 operating system do not implement support for this heuristic.

20

twentiethChar

When setting dSHeuristics to a value that is 20 or more Unicode characters long, if the value of twentiethChar is not character "2", the server rejects the update. See section 3.1.1.5.3.2.

21

DoNotVerifyUPNAndOrSPNUniqueness

In AD LDS, if this character is anything other than "0", AD LDS will not check values of userPrincipalName for uniqueness (section 3.1.1.5.2.2). In AD LDS, this heuristic applies to Windows Server 2003 operating system and later.

The following applies to AD DS only:

This heuristic value is converted to an unsigned integer and the result is interpreted as a bitwise OR.

In AD DS, this heuristic applies to Windows Server 2012 R2 operating system with [MSKB-3070083] installed.

Note: In AD DS, the DoNotVerifyUPNAndOrSPNUniqueness heuristic also applies to the operating systems specified in [MSFT-CVE-2021-42282], each with its related MSKB article download installed

Bit 2 is supported with values between "0" and “7”. Otherwise, only Bit 0 and 1 are supported, meaning supported values are between “0” and “3”.

The heuristic value is interpreted as follows, with Bit 0 as the lower bit:

 

Bit 0: AD DS will not check values of userPrincipalName (UPN) for uniqueness if this bit is set (section 3.1.1.5.1.3).

Bit 1: AD DS will not check values of servicePrincipalName (SPN) for uniqueness if this bit is set (section 3.1.1.5.1.3).

Bit 2: AD DS will not check values of SPN (1) for alias uniqueness if this bit is set (section 3.1.1.5.1.3).

22-23

MinimumGetChangesRequestVersion

A hexadecimal value, ranging from "00" to "FF". This value controls the minimum version of the DRS_MSG_GETCHGREQ* structures the DC will send or accept. If the value is not set, the value "00" is used. When the value is "00", no restriction is enforced.

See [MS-DRSR] section 4.1.10.5.1.

24-25

MinimumGetChangesReplyVersion

A hex value, ranging from "00" to "FF". This value controls the minimum version of the DRS_MSG_GETCHGREPLY* structures the DC will send or accept. If the value is not set, the value "00" is used. When the value is "00", no restriction is enforced.

See [MS-DRSR] section 4.1.10.5.20.

26

fLoadV1AddressBooksOnlySetting

If this character is "0", then the fLoadV1AddressBooksOnlySetting heuristic is FALSE; otherwise, the fLoadV1AddressBooksOnlySetting heuristic is TRUE.

If fLoadV1AddressBooksOnly is TRUE, then the hierarchy table used to support the MAPI address book is calculated using V1 attributes only, which means ignoring the V2 attributes "addressBookRoots2" and "templateRoots2".

If fLoadV1AddressBooksOnly is FALSE, then those V2 attributes are used. This heuristic applies to Windows 10 v1903 operating system and later and Windows Server v1903 operating system and later.

27

fTreatTokenGroupsAsLDAPTransitiveAttribute

If this character is "0" (or not set), then the fTreatTokenGroupsAsLDAPTransitiveAttribute heuristic is FALSE; otherwise, the fTreatTokenGroupsAsLDAPTransitiveAttribute heuristic is TRUE.

This heuristic applies to Windows 10 v1903 and later and Windows Server v1903 and later. This heuristic also applies only to the number of values returned by the following constructed attributes:

3.1.1.4.5.19 - tokenGroups, tokenGroupsNoGCAcceptable

3.1.1.4.5.42 - msds-tokenGroupNames, msds-tokenGroupNamesNoGCAcceptable

3.1.1.4.5.43 - msds-tokenGroupNamesGlobalAndUniversal

3.1.1.4.5.20 - tokenGroupsGlobalAndUniversal

If fTreatTokenGroupsAsLDAPTransitiveAttribute is false, then the number of values returned is defined by the “MaxValRange” LDAP policy, as  defined in section 3.1.1.3.4.6.

If fTreatTokenGroupsAsLDAPTransitiveAttribute is TRUE, then the number of values returned is defined by the “MaxValRangeTransitive” LDAP policy, as defined in section 3.1.1.3.4.6.

Note: The ability to use LDAP limits to configure the maximum number of objects returned by the msds-TokenGroup* family constructed attributes, is supported in Windows 11, version 22H2 operating system and later, and in the operating systems specified in [MSKB-5011543], [MSKB-5011551], [MSKB-5011558], and [MSKB-5011563], each with the corresponding KB package installed.

28

AttributeAuthorizationOnLDAPAdd

If this character is "0", “1”, or “2”, the AttributeAuthorizationOnLDAPAdd heuristic is set to the equivalent numeric value (0, 1, or 2). If this character is not set, the AttributeAuthorizationOnLDAPAdd heuristic defaults to 0. If this character has any other value, the AttributeAuthorizationOnLDAPAdd heuristic defaults to 1.

See section 3.1.1.5.2.1.1.

Note: This heuristic is supported by the operating systems specified in [MSFT-CVE-2021-42291], each with the related MSKB article download installed.

29

BlockOwnerImplicitRights

If this character is "0", “1”, or “2”, the BlockOwnerImplicitRights heuristic is set to the equivalent numeric value (0, 1, or 2). If this character is not set, the BlockOwnerImplicitRights heuristic defaults to 0. If this character has any other value, the BlockOwnerImplicitRights heuristic defaults to 1.

See sections 3.1.1.5.2.1.1 and 3.1.1.5.3.1.

Note: This heuristic is supported by the operating systems specified in [MSFT-CVE-2021-42291], each with the related MSKB article download installed.