3.1.1.3.4.1 LDAP Extended Controls

LDAP extended controls are an extensibility mechanism in version 3 of LDAP, as discussed in [RFC2251] section 4.1.12. The following sections describe the LDAP extended controls implemented by DCs in Windows 2000 operating system and later (both AD DS and AD LDS).

The LDAP extended controls supported by a DC are exposed as OIDs in the supportedControl attribute of the rootDSE. Each OID corresponds to a human-readable name, as shown in the following table.

Extended control name

OID

LDAP_PAGED_RESULT_OID_STRING

1.2.840.113556.1.4.319

LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID

1.2.840.113556.1.4.521

LDAP_SERVER_DIRSYNC_OID

1.2.840.113556.1.4.841

LDAP_SERVER_DOMAIN_SCOPE_OID

1.2.840.113556.1.4.1339

LDAP_SERVER_EXTENDED_DN_OID

1.2.840.113556.1.4.529

LDAP_SERVER_GET_STATS_OID

1.2.840.113556.1.4.970

LDAP_SERVER_LAZY_COMMIT_OID

1.2.840.113556.1.4.619

LDAP_SERVER_PERMISSIVE_MODIFY_OID

1.2.840.113556.1.4.1413

LDAP_SERVER_NOTIFICATION_OID

1.2.840.113556.1.4.528

LDAP_SERVER_RESP_SORT_OID

1.2.840.113556.1.4.474

LDAP_SERVER_SD_FLAGS_OID

1.2.840.113556.1.4.801

LDAP_SERVER_SEARCH_OPTIONS_OID

1.2.840.113556.1.4.1340

LDAP_SERVER_SORT_OID

1.2.840.113556.1.4.473

LDAP_SERVER_SHOW_DELETED_OID

1.2.840.113556.1.4.417

LDAP_SERVER_TREE_DELETE_OID

1.2.840.113556.1.4.805

LDAP_SERVER_VERIFY_NAME_OID

1.2.840.113556.1.4.1338

LDAP_CONTROL_VLVREQUEST

2.16.840.1.113730.3.4.9

LDAP_CONTROL_VLVRESPONSE

2.16.840.1.113730.3.4.10

LDAP_SERVER_ASQ_OID

1.2.840.113556.1.4.1504

LDAP_SERVER_QUOTA_CONTROL_OID

1.2.840.113556.1.4.1852

LDAP_SERVER_RANGE_OPTION_OID

1.2.840.113556.1.4.802

LDAP_SERVER_SHUTDOWN_NOTIFY_OID

1.2.840.113556.1.4.1907

LDAP_SERVER_FORCE_UPDATE_OID

1.2.840.113556.1.4.1974

LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID

1.2.840.113556.1.4.1948

LDAP_SERVER_RODC_DCPROMO_OID

1.2.840.113556.1.4.1341

LDAP_SERVER_DN_INPUT_OID

1.2.840.113556.1.4.2026

LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID

1.2.840.113556.1.4.2065

LDAP_SERVER_SHOW_RECYCLED_OID

1.2.840.113556.1.4.2064

LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID

1.2.840.113556.1.4.2066

LDAP_SERVER_DIRSYNC_EX_OID

1.2.840.113556.1.4.2090

LDAP_SERVER_UPDATE_STATS_OID

1.2.840.113556.1.4.2205

LDAP_SERVER_TREE_DELETE_EX_OID

1.2.840.113556.1.4.2204

LDAP_SERVER_SEARCH_HINTS_OID

1.2.840.113556.1.4.2206

LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID

1.2.840.113556.1.4.2211

LDAP_SERVER_POLICY_HINTS_OID

1.2.840.113556.1.4.2239

LDAP_SERVER_SET_OWNER_OID

1.2.840.113556.1.4.2255

LDAP_SERVER_BYPASS_QUOTA_OID

1.2.840.113556.1.4.2256

LDAP_SERVER_LINK_TTL_OID

1.2.840.113556.1.4.2309

LDAP_SERVER_SET_CORRELATION_ID_OID

1.2.840.113556.1.4.2330

LDAP_SERVER_THREAD_TRACE_OVERRIDE_OID

1.2.840.113556.1.4.2354

The following table lists the set of LDAP extended controls supported in applicable Windows Server releases or Active Directory Application Mode (ADAM) versions.

The table contains information for the following products. See section 3 for more information.

  • A --> Windows 2000

  • D --> Windows Server 2003 operating system

  • E --> Windows Server 2003 operating system with Service Pack 1 (SP1)

  • DR2 --> Windows Server 2003 R2 operating system

  • H --> ADAM RTW

  • I --> ADAM SP1

  • J --> Windows Server 2008 operating system

  • M --> Windows Server 2008 R2 operating system

  • R --> Windows Server 2012 operating system

  • U --> Windows Server 2012 R2 operating system

  • X --> Windows Server 2016 operating system

  • A2 --> Windows Server v1709 operating system

  • D2 --> Windows Server v1803 operating system

  • G2 --> Windows Server v1809 operating system

  • J2 --> Windows Server 2019 operating system

    Extended control name

    A

    D

    E, DR2

    H

    I

    J

    M

    R

    U

    X, A2

    D2, G2, J2

    LDAP_PAGED_RESULT_OID_STRING

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_DIRSYNC_OID***

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_DOMAIN_SCOPE_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_EXTENDED_DN_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_GET_STATS_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_LAZY_COMMIT_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_PERMISSIVE_MODIFY_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_NOTIFICATION_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_RANGE_OPTION_OID*

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_RESP_SORT_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_SD_FLAGS_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_SEARCH_OPTIONS_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_SORT_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_SHOW_DELETED_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_TREE_DELETE_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_VERIFY_NAME_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_CONTROL_VLVREQUEST

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_CONTROL_VLVRESPONSE

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_ASQ_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_QUOTA_CONTROL_OID

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_SHUTDOWN_NOTIFY_OID**

    X

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_FORCE_UPDATE_OID

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID

    X

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_RODC_DCPROMO_OID

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_DN_INPUT_OID

    X

    X

    X

    X

    X

    X

    LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID

    X

    X

    X

    X

    X

    LDAP_SERVER_SHOW_RECYCLED_OID

    X

    X

    X

    X

    X

    LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID

    X

    X

    X

    X

    X

    LDAP_SERVER_DIRSYNC_EX_OID***

    X

    X

    X

    X

    LDAP_SERVER_UPDATE_STATS_OID

    X

    X

    X

    X

    LDAP_SERVER_TREE_DELETE_EX_OID

    X

    X

    X

    X

    LDAP_SERVER_SEARCH_HINTS_OID

    X

    X

    X

    X

    LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID

    X

    X

    X

    X

    LDAP_SERVER_POLICY_HINTS_OID

    X

    X

    X

    X

    LDAP_SERVER_SET_OWNER_OID

    X

    X

    X

    LDAP_SERVER_BYPASS_QUOTA_OID

    X

    X

    X

    LDAP_SERVER_LINK_TTL_OID

    X

    X

    LDAP_SERVER_SET_CORRELATION_ID_OID

    X

    LDAP_SERVER_THREAD_TRACE_OVERRIDE_OID

    X

* This OID does not identify an LDAP extended control. Its presence in the supportedControl attribute indicates that the DC is capable of range retrieval (see section 3.1.1.3.1.3.3) of LDAP multivalued attributes. However, its absence does not indicate lack of support for range retrieval. This OID is not present in the supportedControl attribute of Windows 2000 DCs, but those DCs do support range retrieval.

** Although exposed on the supportedControl attribute of Windows Server 2003 with SP1 and Windows Server 2003 R2 and later DCs, this control is only functional on DCs running the Small Business Server version of that operating system.

*** These two OID values are mutually exclusive. If used together in a request, a protocolError / <unrestricted> is returned.

A client sends a control to the DC by attaching a Control structure (defined in [RFC2251] section 4.1.12) to an LDAP operation. The client sets the controlType field to the control's OID and the controlValue field as specified in the discussion for the control that follows. If the controlValue field contains data that is not in conformance with the specification of the control, including the case where the controlValue field contains data and the specification of the control states that the controlValue field is omitted, then if the control is marked critical the server returns the error unavailableCriticalExtension / ERROR_INVALID_PARAMETER. If the controlValue field is incorrect but the control is not marked critical, the server ignores the control.

A control sent by the client to a DC is known as a request control. In some cases, the server includes a corresponding Control structure attached to the response for the LDAP operation. These controls, known as response controls, are discussed below in conjunction with the request control that causes that response control to be returned.

A brief description of each LDAP control is given in the following table. Additionally, each control is discussed in more detail in the sections that follow. References to ASN.1 and BER encoding in the following section are references to [ITUX680] and [ITUX690], respectively.

Extended control name

Description

LDAP_PAGED_RESULT_OID_STRING

Splits the results of an LDAP search across multiple result sets.

LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID

Used with an LDAP Modify DN operation to move an object from one domain to another domain.

LDAP_SERVER_DIRSYNC_OID

Used with an LDAP search operation to retrieve the changes made to objects since a previous LDAP_SERVER_DIRSYNC_OID search was performed.

LDAP_SERVER_DOMAIN_SCOPE_OID

Instructs the DC not to generate LDAP continuation references in response to a search operation.

LDAP_SERVER_EXTENDED_DN_OID

Used to request than an LDAP search operation return DNs in an extended format containing the values of the objectGUID and objectSid attributes.

LDAP_SERVER_GET_STATS_OID

Used with an LDAP search request to instruct the DC to return statistical data related to how the search was performed.

LDAP_SERVER_LAZY_COMMIT_OID

Instructs the DC that it MAY sacrifice durability guarantees on updates to improve performance.

LDAP_SERVER_PERMISSIVE_MODIFY_OID

Instructs the DC that an LDAP modify MUST succeed even if it attempts to add a value already present on the attribute or remove a value not present on the attribute.

LDAP_SERVER_NOTIFICATION_OID

Used with an LDAP search operation to register the client to be notified when changes are made to an object in the directory.

LDAP_SERVER_SD_FLAGS_OID

Instructs the DC which portions of a Windows security descriptor to either retrieve during an LDAP search operation or to set during an LDAP modify operation.

LDAP_SERVER_SEARCH_OPTIONS_OID

Used to pass flags to the DC to control search behaviors; specifically, to prevent LDAP continuation references from being generated and to search all NC replicas that are subordinate to the search base, even if the search base is not instantiated on the DC.

LDAP_SERVER_SORT_OID and LDAP_SERVER_RESP_SORT_OID

Request and response controls, respectively, for instructing the DC to sort the search results.

LDAP_SERVER_SHOW_DELETED_OID

Used with an LDAP operation to specify that tombstones and deleted-objects are visible to the operation.

LDAP_SERVER_TREE_DELETE_OID

Used with an LDAP delete operation to cause the server to recursively delete the entire subtree of objects located under the object specified in the search request (including the specified object).

LDAP_SERVER_VERIFY_NAME_OID

Permits the client to specify which GC the DC is to use when processing an add or modify request to verify the existence of any objects pointed to by DN attribute values.

LDAP_CONTROL_VLVREQUEST and LDAP_CONTROL_VLVRESPONSE

Request and response control, respectively, used with an LDAP search operation to retrieve a "sliding window" subset of the objects that satisfy the search request.

LDAP_SERVER_ASQ_OID

Used to specify that an LDAP search operation MUST not be performed against the object specified as the base in the search, but rather against the set of objects named by a specified attribute of Object(DS-DN) syntax on the base object.

LDAP_SERVER_QUOTA_CONTROL_OID

Used with an LDAP search operation to retrieve the quota of a user.

LDAP_SERVER_RANGE_OPTION_OID

Indicates that the server is capable of range retrieval (see section 3.1.1.3.1.3.3).

LDAP_SERVER_SHUTDOWN_NOTIFY_OID

Used with an LDAP search operation to cause the client to be notified when the DC is shutting down.

LDAP_SERVER_FORCE_UPDATE_OID

When attached to an LDAP update operation, causes the DC to perform the update even if that update would not affect the state of the DC.

LDAP_SERVER_RANGE_RETRIEVAL_NOERR_OID

Instructs the DC that, when performing a search using range retrieval (see section 3.1.1.3.1.3.3) on an attribute whose values are forward link values or back link values and the value of low is greater than or equal to the number of values in the attribute, no error is to be returned.

LDAP_SERVER_RODC_DCPROMO_OID

This control is used as part of the process of promoting a computer to be an RODC.

LDAP_SERVER_DN_INPUT_OID

This control is used to specify the DN of an object during an LDAP operation. Currently this control is used only while retrieving the constructed attribute msDS-IsUserCachableAtRodc (see section 3.1.1.3.4.1.24).

LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID

Used with an LDAP search operation to specify that link attributes that refer to deleted-objects are visible to the search operation. If used in conjunction with LDAP_SERVER_SHOW_DELETED_OID or LDAP_SERVER_SHOW_RECYCLED_OID, link attributes that are stored on deleted-objects are also visible to the search operation. This applies both to the search filter and the set of attributes returned by the search operation.

LDAP_SERVER_SHOW_RECYCLED_OID

Used with an LDAP operation to specify that tombstones, deleted-objects, and recycled-objects are visible to the operation.

LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID

The LDAP_SERVER_POLICY_HINTS_DEPRECATED_OID control has the exact semantics and behaviors as LDAP_SERVER_POLICY_HINTS_OID (section 3.1.1.3.4.1.27); this control MAY be used by clients when the server does not support LDAP_SERVER_POLICY_HINTS_OID. Clients SHOULD use LDAP_SERVER_POLICY_HINTS_OID when it is supported by the server.

LDAP_SERVER_DIRSYNC_EX_OID

Used with an LDAP search operation to retrieve the changes made to objects since a previous LDAP_SERVER_DIRSYNC_EX_OID search was performed.

LDAP_SERVER_UPDATE_STATS_OID

The LDAP_SERVER_UPDATE_STATS_OID control indicates that the requester requires statistics from the DC.

LDAP_SERVER_TREE_DELETE_EX_OID

Used with an LDAP delete operation to cause the server to recursively delete the entire subtree of objects, up to a specified number of objects, located under the object specified in the search request (including the specified object).

LDAP_SERVER_SEARCH_HINTS_OID

Provides hints to the DC during LDAP search operations.

LDAP_SERVER_EXPECTED_ENTRY_COUNT_OID

Monitors the result of an LDAP search operation and potentially modifies the return code.

LDAP_SERVER_POLICY_HINTS_OID

Used with an LDAP operation to enforce password history policies during password set.

LDAP_SERVER_SET_OWNER_OID

Used with an LDAP add operation to set the owner of the object to a SID other than that of the requester.

LDAP_SERVER_BYPASS_QUOTA_OID

Used with an LDAP add operation to specify that quota limits do not apply for the add operation.

LDAP_SERVER_LINK_TTL_OID

Used to request that an LDAP search operation return link values in the TTL-DN form.

LDAP_SERVER_SET_CORRELATION_ID_OID

Allows the caller to provide an identifier that a DC can use for implementation-defined troubleshooting.

LDAP_SERVER_THREAD_TRACE_OVERRIDE_OID

Allows the caller to provide a request to the DC to perform additional implementation-defined troubleshooting.

Note: The Extended Control Name LDAP_SERVER_SD_FLAGS_OID impacts the portions of the Windows security descriptor to retrieve during an LDAP search or to set during an LDAP modify operation, as supported on the operating systems specified in [MSFT-CVE-2021-42291]; each with its related MSKB article download installed. This feature is also supported in Windows 11, version 22H2 operating system and later.