Setting the Right Key Type for LDAPAccountDenyThreshold, LDAPAccountDenyTimeout and LDAPAccountDenyWindow (318737)


The information in this article applies to:

  • Microsoft Site Server 3.0
This article was previously published under Q318737
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

Personalization and Membership provides protection against users who try to access secured areas. You can temporarily refuse logons to a Membership Server instance of the Site Server LDAP Service by account. Short-term LDAP Logon Deny by Account is turned off by default. There are three parameters in the Microsoft Windows NT registry for setting the values that are used for the short-term LDAP Logon Deny by Account. The original Windows NT registries are defined as REG_SZ and the service is reading them as REG_DWORD. This article describes how to enable LDAP Logon Deny by Account and to correct the registry settings.

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  1. From a command prompt, change directory to

    Microsoft Site Server\bin\P&M

    and then run the following command to determine the Membership Server instance that you want to secure:
    PMAdmin list instance
  2. Check whether account denial is already activated by running the following command: 
    PMAdmin get LDAP /ID:[instance_id]
    NOTE: The [instance_id] is determined in step 1.
  3. Check the value for the AccountDeny parameter. If AccountDeny is set to False, set it to True by running the following command:
    PMAdmin set LDAP /ID:[instance_id] /AccountDeny:True
  4. Run Regedit.exe on the Microsoft Internet Information Services (IIS) computer using Personalization and Membership for authentication.
  5. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAPSVC\Parameters

  6. Open the Parameters key and delete the following entries under the registry key that is identified in the step 5:

    AccountBlaklistElapseWindow
    AccountBlacklistRefreshPeriod
    AccountBlacklistThreshold

  7. Click Edit, point to New, and then click DWORD Value.
  8. Name the value AccountBlacklistElapseWindow and then set the value to the desired setting for AccountBlacklistElapseWindow. This value is in milliseconds.
  9. Name the value AccountBlacklistRefreshPeriod and set the value to the desired setting for AccountBlacklistRefreshPeriod. This value is in milliseconds.
  10. Name the value AccountBlacklistThreshold and set the value to the desired setting for AccountBlacklistThreshold. This is an integer.
  11. Quit Regedit.exe.
  12. You can test the changes by using the Membership Directory Manager snap-in. To do so, attempt to log on with the wrong credentials to modify the Membership instance.
After you have re-created the registry keys correctly, you can modify the values by using the pmadmin command. For example, you can run the following command line: 
PMAdmin set master /LDAPAccountDenyTimeout:5
Modification Type:MajorLast Reviewed:6/11/2002
Keywords:kbdocerr kbinfo KB318737
©2002 Microsoft Corporation. All rights reserved.