Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

regulating/restricting large LDAP queries in AD

Status
Not open for further replies.
MJanssen01

MJanssen01

MIS
Apr 6, 2005
22
NL
Hi,
More and more applications are able to use LDAP queries to retrieve information from Active Directy and use this info for the application.. In principle this is a good thing but....

At the moment we're experiencing performance issues (response times of DC's)because of applications running large queries against AD. Because we don't have any control over the implementation of such applications we need something to regulate(=restrict) the possibility of running large queries. Any ideas on how to achieve this (other then not giving them a domain user account) :)

thanx,
 
Sort by date Sort by votes
Hi,

Thanx for the reply... Yes, I've seen this article before... It's definitely an option if you wanted to regulate queries on a domain or site level. The ideal situation would be that you could link a securitygroup/users to that policy with rights to do large queries on AD.

That way anybody who wants to use custom build applications/queries on AD has to arrange the appropriate permissions with us to run large queries. Anyway, All were doing is finding a solution for a symptom. The real problem is poorly written software ;-) but that's not something we can change.

Have a look at the possible results in the link below
 
Upvote 0 Downvote
Consider placing a Dedicated DC in an isolated "Site" in AD. Then point all the servers that are querying AD to that server. By isolating the site, you can prevent normal authentication traffic. There are also some GPO policies that you can set up to prevent authentication traffic, but I think that this would be easier.

This of course is another bandaid, but at least users will be able to log in.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
292
suncit
suncit
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
453
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
136
DrB0b
DrB0b
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
255
Aquiles Vidal
Aquiles Vidal
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
192
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top