Overview#
Ntdsutil.exe can be used to view and modify the LDAP policy in Active DirectoryExample#
As an example, modifying the MaxPageSize limit using Ntdsutil.exe. You would:There is a maxPageSize limit of 1000 in the windows AD which limits the LDAP query records to a max of 1000. In simple words whenever an LDAP search or query is made to the AD, no more than 1000 records are returned from the directory. This limitation is actually a security design so as to prevent the Microsoft Active Directory from Denial-of-Service attacks for LDAP queries. In case less than 1000 users are defined in the AD, no additional work is required but for a large setup this limit needs to be changed at the AD using the Ntdsutil.exe utility. So the following steps need to be done at your AD to change the MaxPageSize value from 1000 to 3000.
C:> ntdsutil ntdsutil: ldap policies ldap policy: connections server connections: connect to server LAURA Binding to LAURA ... Connected to LAURA using credentials of locally logged on user. ldap policy: show values Policy Current(New) MaxPoolThreads 4 MaxDatagramRecv 4096 MaxReceiveBuffer 10485760 InitRecvTimeout 120 MaxConnections 5000 MaxConnIdleTime 900 MaxPageSize 1000 MaxQueryDuration 120 MaxTempTableSize 10000 MaxResultSetSize 262144 MaxNotificationPerConn 5 MaxValRange 1500 ldap policy: set MaxPageSize to 3000 ldap policy: Show Values Policy Current(New) MaxPoolThreads 4 MaxDatagramRecv 4096 MaxReceiveBuffer 10485760 InitRecvTimeout 120 MaxConnections 5000 MaxConnIdleTime 900 MaxPageSize 1000(3000) MaxQueryDuration 120 MaxTempTableSize 10000 MaxResultSetSize 262144 MaxNotificationPerConn 5 MaxValRange 1500 ldap policy : commit changes ldap policy : q ntdsutil : qAfter performing above commands LDAP can successfully return more than 1000 users from the AD.
