Microsoft KB Archive/318737

= Setting the Right Key Type for LDAPAccountDenyThreshold, LDAPAccountDenyTimeout and LDAPAccountDenyWindow =

Article ID: 318737

Article Last Modified on 6/11/2002

-

APPLIES TO


 * Microsoft Site Server 3.0 Standard Edition

-



This article was previously published under Q318737



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
Personalization and Membership provides protection against users who try to access secured areas. You can temporarily refuse logons to a Membership Server instance of the Site Server LDAP Service by account. Short-term LDAP Logon Deny by Account is turned off by default. There are three parameters in the Microsoft Windows NT registry for setting the values that are used for the short-term LDAP Logon Deny by Account. The original Windows NT registries are defined as REG_SZ and the service is reading them as REG_DWORD. This article describes how to enable LDAP Logon Deny by Account and to correct the registry settings.



MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  From a command prompt, change directory to

Microsoft Site Server\bin\P&M

and then run the following command to determine the Membership Server instance that you want to secure: PMAdmin list instance   Check whether account denial is already activated by running the following command: PMAdmin get LDAP /ID:[instance_id] NOTE: The [instance_id] is determined in step 1.   Check the value for the AccountDeny parameter. If AccountDeny is set to False, set it to True by running the following command: PMAdmin set LDAP /ID:[instance_id] /AccountDeny:True  Run Regedit.exe on the Microsoft Internet Information Services (IIS) computer using Personalization and Membership for authentication. Locate the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAPSVC\Parameters

 Open the Parameters key and delete the following entries under the registry key that is identified in the step 5:

AccountBlaklistElapseWindow

AccountBlacklistRefreshPeriod

AccountBlacklistThreshold

</li> Click Edit, point to New, and then click DWORD Value.</li> Name the value AccountBlacklistElapseWindow and then set the value to the desired setting for AccountBlacklistElapseWindow. This value is in milliseconds.</li> Name the value AccountBlacklistRefreshPeriod and set the value to the desired setting for AccountBlacklistRefreshPeriod. This value is in milliseconds.</li> Name the value AccountBlacklistThreshold and set the value to the desired setting for AccountBlacklistThreshold. This is an integer.</li> Quit Regedit.exe.</li> You can test the changes by using the Membership Directory Manager snap-in. To do so, attempt to log on with the wrong credentials to modify the Membership instance.</li></ol>

After you have re-created the registry keys correctly, you can modify the values by using the pmadmin command. For example, you can run the following command line: PMAdmin set master /LDAPAccountDenyTimeout:5

Additional query words: LDAPAccountDenyThreshold LDAPAccountDenyTimeout LDAPAccountDenyWindow

Keywords: kbinfo kbfix kbdocerr KB318737

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.