Restricting Hosts from Performing LDAP Queries

Posted: March 28, 2010 in Active Directory, Security, Server, System Information
Tags: , ,


You want domain controllers to reject LDAP queries from certain IP addresses. This can be useful if you want to prohibit domain controllers from responding to LDAP queries for certain applications or hosts.


Using a command-line interface

The following adds network with mask to the IP deny list:

> ntdsutil “ipdeny list” conn “co t s <DomainControllerName>” q

IP Deny List: Add


NOTE: * | D – uncommitted addition | deletion

IP Deny List: Commit


NOTE: * | D – uncommitted addition | deletion


The IP deny list is stored as an octet string in the lDAPIPDenyList attribute of a query policy.

When the IP deny list is set, domain controllers that are using the default query policy will not respond to LDAP queries from any IP address specified in the deny list address range. To test whether a certain IP address would be denied, run Test x.x.x.x (where x.x.x.x is an IP address) from the IP Deny List subcommand in ntdsutil.

By setting the IP deny list on the default query policy, you would effectively restrict the IP address range from querying any domain controller in the forest. If you need to restrict queries only for a specific domain controller, you’ll need to create a new LDAP query policy and apply it to only the domain controller in question.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s