In each solution below, I’ll show how to set the
DynamicObjectDefaultTTL setting to 172800.
DynamicObjectMinTTL can be done in
the same manner.
Open ADSI Edit.
Right-click on ADSI Edit in the right pane and click Connect to . . .
Fill in the information for the naming context for your forest. Click on the Advanced button if you need to enter alternate credentials.
In the left pane, browse to the following path under the Configuration naming context: Services → Windows NT → Directory Service.
cn=Directory Service and select
and click Remove.
The attribute/value pair should have been populated in the “Value to add” field.
Edit the number part of the value to be 172800.
Click OK twice.
<DomainControllerName>, displays the
current values for the dynamic object TTL settings, sets the
DynamicObjectDefaultTTL to 172800, commits the
change, and displays the results:
> ntdsutil "config settings" connections "connect to server
<DomainControllerName>"[RETURN] q "show values" "set DynamicObjectDefaultTTL to 172800" "commit changes" "show[RETURN] values" q q
' This code modifies the default TTL setting for dynamic objects in a forest ' ------ SCRIPT CONFIGURATION ------ strNewValue = 172800 'Could be DynamicObjectMinTTL instead if you wanted to set that instead strTTLSetting = "DynamicObjectDefaultTTL" ' ------ END CONFIGURATION --------- const ADS_PROPERTY_APPEND = 3 const ADS_PROPERTY_DELETE = 4 set objRootDSE = GetObject("LDAP://RootDSE") set objDS = GetObject("LDAP://CN=Directory Service,CN=Windows NT," & _ "CN=Services,CN=Configuration," & _ objRootDSE.Get("rootDomainNamingContext") for each strVal in objDS.Get("msDS-Other-Settings") Set objRegEx = New RegExp objRegEx.Pattern = strTTLSetting & "=" objRegEx.IgnoreCase = True Set colMatches = objRegEx.Execute(strVal) For Each objMatch in colMatches Wscript.Echo "Deleting " & strVal objDS.PutEx ADS_PROPERTY_DELETE, "msDS-Other-Settings", Array(strVal) objDS.SetInfo Next Next Wscript.Echo "Setting " & strTTLSetting & "=" & strNewValue objDS.PutEx ADS_PROPERTY_APPEND, _ "msDS-Other-Settings", _ Array(strTTLSetting & "=" & strNewValue) objDS.SetInfo
Two configuration settings apply to dynamic objects:
Defines the default TTL that is set for a dynamic object at creation
time unless another one is set via
Defines the smallest TTL that can be configured for a dynamic object.
Unfortunately, these two settings are not stored as discrete
attributes. Instead, they are stored as attribute-value-assertions
(AVA) in the
msDS-Other-Settings attribute on the
object. AVAs are used occasionally in Active Directory on multivalued
attributes, in which the values take the form of
For this reason, you cannot simply manipulate AVA attributes as you would another attribute. You have to be sure to add or replace values with the same format, as they existed previously.
You can use
ntdsutil in interactive mode or in
single-command mode. In this solution, I’ve included
all the necessary commands on a single line. You can, of course, step
through each command by simply running
interactive mode and entering each command one by one.
Because we are dealing with AVAs, the VBScript solution is not very
straightforward. Getting a pointer to the Directory Service object is
easy, but then we must step through each value of the
mSDS-Other-Settings attribute until we find the
one we are looking for. The reason it is not straightforward is that
we do not know the exact value of the setting we are looking for. All
we know is that it begins with
DynamicObjectDefaultTTL=. That is why it is
necessary to resort to regular expressions. With a regular
expression, we can compare each value against
DefaultObjectDefaultTTL= and if we find a match,
delete that value only. After we’ve iterated through
all of the values and hopefully deleted the one we are looking for,
we append the new setting using
PutEx. Simple as
Recipe 4.11 for modifying an object and MSDN: Regular Expression (RegExp) Object