Managing the IP Deny List

To provide higher levels of security for the domain controller, you can apply an IP Deny List that prevents the domain controller from accepting LDAP queries from clients with specified IP addresses. Similar to the LDAP administration limits, the IP Deny List only alters the Default LDAP Policy object. The default LDAP Policy is applied to any domain controller that has not had a specific LDAP policy applied to it or to the site in which it belongs.

Table C.9 lists and describes the Ntdsutil menu commands on the IP Deny List.

Table C.9 Ntdsutil IP Deny List Menu Commands



Add %s1 %s2

Adds an entry to the IP Deny List. The first parameter % s1 is either the host component or network component of an IP address. If a host component is specified, the second parameter % s2 is specified as NODE; whereas if the network component is specified, the second parameter is the subnet mask. For example, to deny access from a host with an address of, the command is:
To deny access from all hosts with a network address of, the command is:
The entries that you specify by using the add command are not applied until you commit them by using the Commit command.


Cancels any uncommitted additions or deletions.


Commits all additions or deletions to the LDAP policy object.

Delete %d

Deletes the specified entry with the index number % d . Use the show command to display entries with the respective index number.


Shows all IP addresses that are included in the IP Deny List.

Test %s

Determines whether the IP address specified by % s is allowed or denied access to the domain controller. For example, given an IP Deny List entry of, when tested with an address of, access is denied.