How To Use the Ntdsutil Utility to Deny Access to IP Addresses in Windows 2000 (314976)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q314976

IN THIS TASK

SUMMARY

This step-by-step article describes how to use the Ntdsutil utility to add an IP address to the IP Deny list. To provide higher levels of security for the domain controller, you can apply an IP Deny List that prevents the domain controller from accepting Lightweight Directory Access Protocol (LDAP) queries from clients that have specific IP addresses. The IP Deny List is similar to LDAP administration limits; it only alters the Default LDAP Policy object. The default LDAP policy is applied to any domain controller that has not had a specific LDAP policy applied to it or to the site in which it belongs.

NOTE: To perform the procedure described in this article, you must be member of the Administrators group on a system that is running Windows 2000 Server or Windows 2000 Advanced Server.

Ntdsutil is located in the Support tools folder on the Windows 2000 installation CD-ROM.

back to the top

How to Start Ntdsutil

  1. Click Start, and then click Run.
  2. In the Open box, type ntdsutil. For more information about Ntdsutil, type a question mark (?) at a command prompt, and the press ENTER to access the Help file.
back to the top

How to Add an IP Address to the Deny List

  1. At the Ntdsutil command prompt, type IPDeny List, and then press ENTER.
  2. At the IP Deny List command prompt, type connections, and then press ENTER.
  3. At the server connections command prompt, type connect to server dns name_of_server, and then press ENTER.

    NOTE: Connect to the server that you are working on.
  4. At the Server connections command prompt, type q, and then press ENTER to return to the previous menu.
  5. At the IP Deny List command prompt, type add ip_addressmask, and then press ENTER.

    If you are working in a single-node environment, you can use "node" for the mask variable.
  6. At the IP Deny List command prompt, type commit, and then press ENTER to commit the change.
back to the top

How to Verify the Addition

  1. At the IP Deny List command prompt, type Show, and then press ENTER.

    A list of all denied IP addresses is displayed.
  2. At the IP Deny List command prompt, type q, and then press ENTER.
  3. At the Ntdsutil command prompt, type q, and then press ENTER to quit Ntdsutil.
back to the top


REFERENCES

For additional information about how to automate procedures in Ntdsutil, click the article number below to view the article in the Microsoft Knowledge Base:

243267 How to Automate Ntdsutil.exe Using a Script

back to the top






Modification Type:MinorLast Reviewed:7/15/2004
Keywords:kbhowto kbHOWTOmaster KB314976 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.