3.1.1.3.4.1 LDAP Extended Controls
LDAP extended controls are an extensibility mechanism in version 3 of LDAP, as discussed in [RFC2251] section 4.1.12. The following sections describe the LDAP extended controls implemented by DCs in Windows 2000 operating system and later (both AD DS and AD LDS).
The LDAP extended controls supported by a DC are exposed as OIDs in the supportedControl attribute of the rootDSE. Each OID corresponds to a human-readable name, as shown in the following table.
-
Extended control name
OID
LDAP_PAGED_RESULT_OID_STRING
1.2.840.113556.1.4.319
LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID
1.2.840.113556.1.4.521
LDAP_SERVER_DIRSYNC_OID
1.2.840.113556.1.4.841
LDAP_SERVER_DOMAIN_SCOPE_OID
1.2.840.113556.1.4.1339
LDAP_SERVER_EXTENDED_DN_OID
1.2.840.113556.1.4.529
LDAP_SERVER_GET_STATS_OID
1.2.840.113556.1.4.970
LDAP_SERVER_LAZY_COMMIT_OID
1.2.840.113556.1.4.619
LDAP_SERVER_PERMISSIVE_MODIFY_OID
1.2.840.113556.1.4.1413
LDAP_SERVER_NOTIFICATION_OID
1.2.840.113556.1.4.528
LDAP_SERVER_RESP_SORT_OID
1.2.840.113556.1.4.474
LDAP_SERVER_SD_FLAGS_OID
1.2.840.113556.1.4.801
LDAP_SERVER_SEARCH_OPTIONS_OID
1.2.840.113556.1.4.1340
LDAP_SERVER_SORT_OID
1.2.840.113556.1.4.473
LDAP_SERVER_SHOW_DELETED_OID
1.2.840.113556.1.4.417
LDAP_SERVER_TREE_DELETE_OID
1.2.840.113556.1.4.805
LDAP_SERVER_VERIFY_NAME_OID
1.2.840.113556.1.4.1338
LDAP_CONTROL_VLVREQUEST
2.16.840.1.113730.3.4.9
LDAP_CONTROL_VLVRESPONSE
2.16.840.1.113730.3.4.10
LDAP_SERVER_ASQ_OID
1.2.840.113556.1.4.1504
LDAP_SERVER_QUOTA_CONTROL_OID
1.2.840.113556.1.4.1852
LDAP_SERVER_RANGE_OPTION_OID
1.2.840.113556.1.4.802
LDAP_SERVER_SHUTDOWN_NOTIFY_OID
1.2.840.113556.1.4.1907
LDAP_SERVER_FORCE_UPDATE_OID
1.2.840.113556.1.4.1974
LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID
1.2.840.113556.1.4.1948
LDAP_SERVER_RODC_DCPROMO_OID
1.2.840.113556.1.4.1341
LDAP_SERVER_DN_INPUT_OID
1.2.840.113556.1.4.2026
LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID
1.2.840.113556.1.4.2065
LDAP_SERVER_SHOW_RECYCLED_OID
1.2.840.113556.1.4.2064
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID
1.2.840.113556.1.4.2066
LDAP_SERVER_DIRSYNC_EX_OID
1.2.840.113556.1.4.2090
LDAP_SERVER_UPDATE_STATS_OID
1.2.840.113556.1.4.2205
LDAP_SERVER_TREE_DELETE_EX_OID
1.2.840.113556.1.4.2204
LDAP_SERVER_SEARCH_HINTS_OID
1.2.840.113556.1.4.2206
LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID
1.2.840.113556.1.4.2211
LDAP_SERVER_POLICY_HINTS_OID
1.2.840.113556.1.4.2239
LDAP_SERVER_SET_OWNER_OID
1.2.840.113556.1.4.2255
LDAP_SERVER_BYPASS_QUOTA_OID
1.2.840.113556.1.4.2256
LDAP_SERVER_LINK_TTL_OID
1.2.840.113556.1.4.2309
LDAP_SERVER_SET_CORRELATION_ID_OID
1.2.840.113556.1.4.2330
LDAP_SERVER_THREAD_TRACE_OVERRIDE_OID
1.2.840.113556.1.4.2354
The following table lists the set of LDAP extended controls supported in applicable Windows Server releases or Active Directory Application Mode (ADAM) versions.
The table contains information for the following products. See section 3 for more information.
A --> Windows 2000
D --> Windows Server 2003 operating system
E --> Windows Server 2003 operating system with Service Pack 1 (SP1)
DR2 --> Windows Server 2003 R2 operating system
H --> ADAM RTW
I --> ADAM SP1
J --> Windows Server 2008 operating system
M --> Windows Server 2008 R2 operating system
R --> Windows Server 2012 operating system
U --> Windows Server 2012 R2 operating system
X --> Windows Server 2016 operating system
A2 --> Windows Server v1709 operating system
D2 --> Windows Server v1803 operating system
G2 --> Windows Server v1809 operating system
J2 --> Windows Server 2019 operating system
Extended control name
A
D
E, DR2
H
I
J
M
R
U
X, A2
D2, G2, J2
LDAP_PAGED_RESULT_OID_STRING
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_DIRSYNC_OID***
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_DOMAIN_SCOPE_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_EXTENDED_DN_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_GET_STATS_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_LAZY_COMMIT_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_PERMISSIVE_MODIFY_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_NOTIFICATION_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_RANGE_OPTION_OID*
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_RESP_SORT_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_SD_FLAGS_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_SEARCH_OPTIONS_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_SORT_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_SHOW_DELETED_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_TREE_DELETE_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_VERIFY_NAME_OID
X
X
X
X
X
X
X
X
X
X
X
LDAP_CONTROL_VLVREQUEST
X
X
X
X
X
X
X
X
X
X
LDAP_CONTROL_VLVRESPONSE
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_ASQ_OID
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_QUOTA_CONTROL_OID
X
X
X
X
X
X
X
X
X
X
LDAP_SERVER_SHUTDOWN_NOTIFY_OID**
X
X
X
X
X
X
X
X
LDAP_SERVER_FORCE_UPDATE_OID
X
X
X
X
X
X
LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID
X
X
X
X
X
X
X
LDAP_SERVER_RODC_DCPROMO_OID
X
X
X
X
X
X
LDAP_SERVER_DN_INPUT_OID
X
X
X
X
X
X
LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID
X
X
X
X
X
LDAP_SERVER_SHOW_RECYCLED_OID
X
X
X
X
X
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID
X
X
X
X
X
LDAP_SERVER_DIRSYNC_EX_OID***
X
X
X
X
LDAP_SERVER_UPDATE_STATS_OID
X
X
X
X
LDAP_SERVER_TREE_DELETE_EX_OID
X
X
X
X
LDAP_SERVER_SEARCH_HINTS_OID
X
X
X
X
LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID
X
X
X
X
LDAP_SERVER_POLICY_HINTS_OID
X
X
X
X
LDAP_SERVER_SET_OWNER_OID
X
X
X
LDAP_SERVER_BYPASS_QUOTA_OID
X
X
X
LDAP_SERVER_LINK_TTL_OID
X
X
LDAP_SERVER_SET_CORRELATION_ID_OID
X
LDAP_SERVER_THREAD_TRACE_OVERRIDE_OID
X
* This OID does not identify an LDAP extended control. Its presence in the supportedControl attribute indicates that the DC is capable of range retrieval (see section 3.1.1.3.1.3.3) of LDAP multivalued attributes. However, its absence does not indicate lack of support for range retrieval. This OID is not present in the supportedControl attribute of Windows 2000 DCs, but those DCs do support range retrieval.
** Although exposed on the supportedControl attribute of Windows Server 2003 with SP1 and Windows Server 2003 R2 and later DCs, this control is only functional on DCs running the Small Business Server version of that operating system.
*** These two OID values are mutually exclusive. If used together in a request, a protocolError / <unrestricted> is returned.
A client sends a control to the DC by attaching a Control structure (defined in [RFC2251] section 4.1.12) to an LDAP operation. The client sets the controlType field to the control's OID and the controlValue field as specified in the discussion for the control that follows. If the controlValue field contains data that is not in conformance with the specification of the control, including the case where the controlValue field contains data and the specification of the control states that the controlValue field is omitted, then if the control is marked critical the server returns the error unavailableCriticalExtension / ERROR_INVALID_PARAMETER. If the controlValue field is incorrect but the control is not marked critical, the server ignores the control.
A control sent by the client to a DC is known as a request control. In some cases, the server includes a corresponding Control structure attached to the response for the LDAP operation. These controls, known as response controls, are discussed below in conjunction with the request control that causes that response control to be returned.
A brief description of each LDAP control is given in the following table. Additionally, each control is discussed in more detail in the sections that follow. References to ASN.1 and BER encoding in the following section are references to [ITUX680] and [ITUX690], respectively.
|
Extended control name |
Description |
|---|---|
|
LDAP_PAGED_RESULT_OID_STRING |
Splits the results of an LDAP search across multiple result sets. |
|
LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID |
Used with an LDAP Modify DN operation to move an object from one domain to another domain. |
|
LDAP_SERVER_DIRSYNC_OID |
Used with an LDAP search operation to retrieve the changes made to objects since a previous LDAP_SERVER_DIRSYNC_OID search was performed. |
|
LDAP_SERVER_DOMAIN_SCOPE_OID |
Instructs the DC not to generate LDAP continuation references in response to a search operation. |
|
LDAP_SERVER_EXTENDED_DN_OID |
Used to request than an LDAP search operation return DNs in an extended format containing the values of the objectGUID and objectSid attributes. |
|
LDAP_SERVER_GET_STATS_OID |
Used with an LDAP search request to instruct the DC to return statistical data related to how the search was performed. |
|
LDAP_SERVER_LAZY_COMMIT_OID |
Instructs the DC that it MAY sacrifice durability guarantees on updates to improve performance. |
|
LDAP_SERVER_PERMISSIVE_MODIFY_OID |
Instructs the DC that an LDAP modify MUST succeed even if it attempts to add a value already present on the attribute or remove a value not present on the attribute. |
|
LDAP_SERVER_NOTIFICATION_OID |
Used with an LDAP search operation to register the client to be notified when changes are made to an object in the directory. |
|
LDAP_SERVER_SD_FLAGS_OID |
Instructs the DC which portions of a Windows security descriptor to either retrieve during an LDAP search operation or to set during an LDAP modify operation. |
|
LDAP_SERVER_SEARCH_OPTIONS_OID |
Used to pass flags to the DC to control search behaviors; specifically, to prevent LDAP continuation references from being generated and to search all NC replicas that are subordinate to the search base, even if the search base is not instantiated on the DC. |
|
LDAP_SERVER_SORT_OID and LDAP_SERVER_RESP_SORT_OID |
Request and response controls, respectively, for instructing the DC to sort the search results. |
|
LDAP_SERVER_SHOW_DELETED_OID |
Used with an LDAP operation to specify that tombstones and deleted-objects are visible to the operation. |
|
LDAP_SERVER_TREE_DELETE_OID |
Used with an LDAP delete operation to cause the server to recursively delete the entire subtree of objects located under the object specified in the search request (including the specified object). |
|
LDAP_SERVER_VERIFY_NAME_OID |
Permits the client to specify which GC the DC is to use when processing an add or modify request to verify the existence of any objects pointed to by DN attribute values. |
|
LDAP_CONTROL_VLVREQUEST and LDAP_CONTROL_VLVRESPONSE |
Request and response control, respectively, used with an LDAP search operation to retrieve a "sliding window" subset of the objects that satisfy the search request. |
|
LDAP_SERVER_ASQ_OID |
Used to specify that an LDAP search operation MUST not be performed against the object specified as the base in the search, but rather against the set of objects named by a specified attribute of Object(DS-DN) syntax on the base object. |
|
LDAP_SERVER_QUOTA_CONTROL_OID |
Used with an LDAP search operation to retrieve the quota of a user. |
|
LDAP_SERVER_RANGE_OPTION_OID |
Indicates that the server is capable of range retrieval (see section 3.1.1.3.1.3.3). |
|
LDAP_SERVER_SHUTDOWN_NOTIFY_OID |
Used with an LDAP search operation to cause the client to be notified when the DC is shutting down. |
|
LDAP_SERVER_FORCE_UPDATE_OID |
When attached to an LDAP update operation, causes the DC to perform the update even if that update would not affect the state of the DC. |
|
LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID |
Instructs the DC that, when performing a search using range retrieval (see section 3.1.1.3.1.3.3) on an attribute whose values are forward link values or back link values and the value of low is greater than or equal to the number of values in the attribute, no error is to be returned. |
|
LDAP_SERVER_RODC_DCPROMO_OID |
This control is used as part of the process of promoting a computer to be an RODC. |
|
LDAP_SERVER_DN_INPUT_OID |
This control is used to specify the DN of an object during an LDAP operation. Currently this control is used only while retrieving the constructed attribute msDS-IsUserCachableAtRodc (see section 3.1.1.3.4.1.24). |
|
LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID |
Used with an LDAP search operation to specify that link attributes that refer to deleted-objects are visible to the search operation. If used in conjunction with LDAP_SERVER_SHOW_DELETED_OID or LDAP_SERVER_SHOW_RECYCLED_OID, link attributes that are stored on deleted-objects are also visible to the search operation. This applies both to the search filter and the set of attributes returned by the search operation. |
|
LDAP_SERVER_SHOW_RECYCLED_OID |
Used with an LDAP operation to specify that tombstones, deleted-objects, and recycled-objects are visible to the operation. |
|
LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID |
The LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID control has the exact semantics and behaviors as LDAP_SERVER_POLICY_HINTS_OID (section 3.1.1.3.4.1.27); this control MAY be used by clients when the server does not support LDAP_SERVER_POLICY_HINTS_OID. Clients SHOULD use LDAP_SERVER_POLICY_HINTS_OID when it is supported by the server. |
|
LDAP_SERVER_DIRSYNC_EX_OID |
Used with an LDAP search operation to retrieve the changes made to objects since a previous LDAP_SERVER_DIRSYNC_EX_OID search was performed. |
|
LDAP_SERVER_UPDATE_STATS_OID |
The LDAP_SERVER_UPDATE_STATS_OID control indicates that the requester requires statistics from the DC. |
|
LDAP_SERVER_TREE_DELETE_EX_OID |
Used with an LDAP delete operation to cause the server to recursively delete the entire subtree of objects, up to a specified number of objects, located under the object specified in the search request (including the specified object). |
|
LDAP_SERVER_SEARCH_HINTS_OID |
Provides hints to the DC during LDAP search operations. |
|
LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID |
Monitors the result of an LDAP search operation and potentially modifies the return code. |
|
LDAP_SERVER_POLICY_HINTS_OID |
Used with an LDAP operation to enforce password history policies during password set. |
|
LDAP_SERVER_SET_OWNER_OID |
Used with an LDAP add operation to set the owner of the object to a SID other than that of the requester. |
|
LDAP_SERVER_BYPASS_QUOTA_OID |
Used with an LDAP add operation to specify that quota limits do not apply for the add operation. |
|
LDAP_SERVER_LINK_TTL_OID |
Used to request that an LDAP search operation return link values in the TTL-DN form. |
|
LDAP_SERVER_SET_CORRELATION_ID_OID |
Allows the caller to provide an identifier that a DC can use for implementation-defined troubleshooting. |
|
LDAP_SERVER_THREAD_TRACE_OVERRIDE_OID |
Allows the caller to provide a request to the DC to perform additional implementation-defined troubleshooting. |
Note: The Extended Control Name LDAP_SERVER_SD_FLAGS_OID impacts the portions of the Windows security descriptor to retrieve during an LDAP search or to set during an LDAP modify operation, as supported on the operating systems specified in [MSFT-CVE-2021-42291]; each with its related MSKB article download installed. This feature is also supported in Windows 11, version 22H2 operating system and later.