You want domain controllers to reject LDAP queries from certain IP addresses. This can be useful if you want to prohibit domain controllers from responding to LDAP queries for certain applications or hosts.
This option is not present in the Windows Server 2003 version of
The following adds network 10.0.0.0 with mask 255.255.255.0 to the IP deny list:
> ntdsutil "ipdeny list" conn "co t s <
DomainControllerName>" q IP Deny List: Add 10.0.0.0 255.255.255.0 * 10.0.0.0 GROUP MASK 255.255.255.0 NOTE: * | D - uncommitted addition | deletion IP Deny List: Commit  10.10.10.0 GROUP MASK 255.255.255.0 NOTE: * | D - uncommitted addition | deletion
The IP deny list is stored as an octet string in the
lDAPIPDenyList attribute of a query policy. See
Recipe 4.23 for more information on the LDAP
When the IP deny list is set, domain controllers that are using the
default query policy will not respond to LDAP queries from any IP
address specified in the deny list address range. To test whether a
certain IP address would be denied, run
x.x.x.x is an IP address, from the IP Deny
List: subcommand in
By setting the IP deny list on the default query policy, you would effectively restrict the IP address range from querying any domain controller in the forest. If you need to only restrict queries for a specific domain controller, you’ll need ...