In each solution below, I’ll show how to set the
DynamicObjectDefaultTTL setting to 172800.
Modifying the DynamicObjectMinTTL can be done in
the same manner.
Open ADSI Edit.
If an entry for the Configuration naming context is not already displayed, do the following:
Right-click on ADSI Edit in the right pane and click Connect to . . .
Fill in the information for the naming context for your forest. Click on the Advanced button if you need to enter alternate credentials.
In the left pane, browse to the following path under the Configuration naming context: Services → Windows NT → Directory Service.
Right-click
cn=Directory Serviceand select Properties.Edit the
msDS-Other-Settingsattribute.Click on
DynamicObjectDefaultTTL=<xxxxx>and click Remove.The attribute/value pair should have been populated in the “Value to add” field.
Edit the number part of the value to be 172800.
Click Add.
Click OK twice.
The following ntdsutil command
connects to
<DomainControllerName>, displays the
current values for the dynamic object TTL settings, sets the
DynamicObjectDefaultTTL to 172800, commits the
change, and displays the results:
> ntdsutil "config settings" connections "connect to server <DomainControllerName>"[RETURN]
q "show values" "set DynamicObjectDefaultTTL to 172800" "commit changes" "show[RETURN]
values" q q' This code modifies the default TTL setting for dynamic objects in a forest
' ------ SCRIPT CONFIGURATION ------
strNewValue = 172800
'Could be DynamicObjectMinTTL instead if you wanted to set that instead
strTTLSetting = "DynamicObjectDefaultTTL"
' ------ END CONFIGURATION ---------
const ADS_PROPERTY_APPEND = 3
const ADS_PROPERTY_DELETE = 4
set objRootDSE = GetObject("LDAP://RootDSE")
set objDS = GetObject("LDAP://CN=Directory Service,CN=Windows NT," & _
"CN=Services,CN=Configuration," & _
objRootDSE.Get("rootDomainNamingContext")
for each strVal in objDS.Get("msDS-Other-Settings")
Set objRegEx = New RegExp
objRegEx.Pattern = strTTLSetting & "="
objRegEx.IgnoreCase = True
Set colMatches = objRegEx.Execute(strVal)
For Each objMatch in colMatches
Wscript.Echo "Deleting " & strVal
objDS.PutEx ADS_PROPERTY_DELETE, "msDS-Other-Settings", Array(strVal)
objDS.SetInfo
Next
Next
Wscript.Echo "Setting " & strTTLSetting & "=" & strNewValue
objDS.PutEx ADS_PROPERTY_APPEND, _
"msDS-Other-Settings", _
Array(strTTLSetting & "=" & strNewValue)
objDS.SetInfoTwo configuration settings apply to dynamic objects:
-
dynamicObjectDefaultTTL Defines the default TTL that is set for a dynamic object at creation time unless another one is set via
entryTTL.-
dynamicObjectMinTTL Defines the smallest TTL that can be configured for a dynamic object.
Unfortunately, these two settings are not stored as discrete
attributes. Instead, they are stored as attribute-value-assertions
(AVA) in the msDS-Other-Settings attribute on the
cn=DirectoryServices,cn=WindowsNT,cn=Configuration,<ForestRootDN>
object. AVAs are used occasionally in Active Directory on multivalued
attributes, in which the values take the form of
Setting1=Value1,
Setting2=Value2,
etc.
For this reason, you cannot simply manipulate AVA attributes as you would another attribute. You have to be sure to add or replace values with the same format, as they existed previously.
You can use ntdsutil in interactive mode or in
single-command mode. In this solution, I’ve included
all the necessary commands on a single line. You can, of course, step
through each command by simply running ntdsutil in
interactive mode and entering each command one by one.
Because we are dealing with AVAs, the VBScript solution is not very
straightforward. Getting a pointer to the Directory Service object is
easy, but then we must step through each value of the
mSDS-Other-Settings attribute until we find the
one we are looking for. The reason it is not straightforward is that
we do not know the exact value of the setting we are looking for. All
we know is that it begins with
DynamicObjectDefaultTTL=. That is why it is
necessary to resort to regular expressions. With a regular
expression, we can compare each value against
DefaultObjectDefaultTTL= and if we find a match,
delete that value only. After we’ve iterated through
all of the values and hopefully deleted the one we are looking for,
we append the new setting using PutEx. Simple as
that!
Recipe 4.11 for modifying an object and MSDN: Regular Expression (RegExp) Object
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
