Many aspects of ADs behavior are governed by the dsHeuristics attribute of the Directory Service configuration object:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<rootNC>In contrast to the far more elusive “DSA Heuristics” registry value, dsHeuristics is very well documented and is actively used to add new behaviors to AD. The attribute is a string, read from left to right, and each character may contain a hexadecimal digit. The meaning of these is as follows (the default behavior corresponds to a zero value, unless specified otherwise):
| Position | Parameter | Behavior if nonzero |
|---|---|---|
| 1 | fSupFirstLastANR | Ambiguous Name Resolution will not include search by “Firstname Lastname”. |
| 2 | fSupLastFirstANR | Ambiguous Name Resolution will not include search by “Lastname Firstname”. |
| 3 | fDoListObject | The “List Object” right will be enforced and children will be hidden if the searcher does not have the DS_LIST_OBJECT right on the parent. |
| 4 | fDoNickRes | Ambiguous Name Resolution request via MAPI will attempt an exact match against the MAPI nickname. |
| 5 | fLDAPUsePermMod | LDAP will use the LDAP_SERVER_PERMISSIVE_MODIFY control (return success even if no modification is performed). Otherwise LDAP willuse strict modification behavior and return an error if no modifications are to be performed, like deleting an attribute that is not present. |
| 6 | ulHideDSID | 0 = DSID will always be returned. 1 = DSID will only be returned if it does not reveal the identity of the object otherwise invisible to the client. 2-f = DSID will NOT be returned. |
| 7 | fLDAPBlockAnonOps | 2 (default) = LDAP will only allow searching RootDSE anonymously, regardless of ACL. other value = LDAP will allow anonymous searches if the ACLs permit them. This parameter requires Server 2003 or newer to take effect. |
| 8 | fAllowAnonNSPI | Allow anonymous NSPI (RPC) calls. |
| 9 | fUserPwdSupport | 0 or 2 = Allow access to userPassword attribute, ACLs permitting. other value = Disable access to userPassword attribute, regardless of permissions. |
| 10 | tenthChar | Must be 1 if positions beyond 9 are to be set. |
| 11 | fSpecifyGUIDOnAdd | On adding an object, specifying its GUID is allowed. |
| 12 | fDontStandardizeSDs | The order of ACEs supplied by the client is preserved, ordering rules are ignored. |
| 13 | fAllowPasswordOperationsOverNonSecureConnection | Password operations are allowed without encryption. This is only valid for ADLDS! |
| 14 | fDontPropagateOnNoChangeUpdate | ntSecurityDescriptor is propagated to descendant objects on change, even if the new value is bitwise identical to the old one. This parameter requires Server 2008 or newer to take effect. |
| 15 | fComputeANRStats | ANR searches are optimized using cardianlity estimates from previous searches. |
| 16 | dwAdminSDExMask | Excludes operator groups from SDPROP: 1 = Account Operators 2 = Server Operators 3 = Account Operators + Server Operators 4 = Print Operators 5 = Account Operators + Print Operators 6 = Server Operators + Print Operators 7 = Account Operators + Server Operators + Print Operators 8 = Backup Operators 9 = Account Operators + Backup Operators a = Server Operators + Backup Operators b = Account Operators + Server Operators + Backup Operators c = Print Operators + Backup Operators d = Account Operators + Print Operators + Backup Operators e = Server Operators + Print Operators + Backup Operators f = Account Operators + Server Operators + Print Operators + Backup Operators |
| 17 | fKVNOEmuW2K | msDS-KeyVersionNumber will always equal 1 (W2K emulation). |
| 18 | fLDAPBypassUpperBoundsOnLimits | DCs will bypass implementation-dependent limits on LDAP policies. This parameter requires Server 2008 or newer to take effect. |
| 19 | fDisableAutoIndexingOnSchemaUpdate | Index creation is triggered by index-related changes to the searchFlags attribute. The default behavior is to delay index creation upon detection of index-related changes to the searchFlags attribute until either an administrator issues the schemaUpdateNow rootDSE modify operation, the DC is rebooted, or an implementation-dependent time period has elapsed. This parameter requires Server 2012 or newer to take effect. |
| 20 | twentiethChar | Must be 2 if positions beyond 19 are to be set. |
| 21 | DoNotVerifyUPNAndOrSPNUniqueness | The following names will not be verified for uniquenes on change: 1 = UPN 2 = SPN 3 = UPN + SPN 4 = SPN alias 5 = UPN + SPN alias 6 = SPN + SPN alias 7 = UPN + SPN + SPN alias |
| 22 + 23 | MinimumGetChangesRequestVersion | GETCHGREQ must have the minimum version specified by these two bytes. |
| 24 + 25 | MinimumGetChangesReplyVersion | GETCHGREPLY must have the minimum version specified by these two bytes. |
| 26 | fLoadV1AddressBooksOnlySetting | MAPI address book is calculated using V1 attributes. Otherwise V2 is used. Only works with Windows Client/Server 1903 and newer. |
| 27 | fTreatTokenGroupsAsLDAPTransitiveAttribute | LDAP Policy “MaxValueRangeTransitive” is respected for token groups, otherwise “MaxValueRange” is respected. Only works with Windows Client/Server 1903 and newer. |
| 28 | AttributeAuthorizationOnLDAPAdd | 0 = KB5008383 LDAP Add AuthZ verification disabled (old default; not supported after 2023-04-11). 2 = KB5008383 LDAP Add AuthZ enforcement mode disabled, updated auditing disabled. 1 or other = KB5008383 LDAP Add AuthZ enforcement mode (new default). Only works with Windows Server 2008R2 and newer. |
| 29 | BlockOwnerImplicitRights | 0 = KB5008383 Owner Implicit Rights Audit enabled (old default until 2023-04-11). 2 = KB5008383 Owner Implicit Rights enforcement mode disabled. 1 or other = KB5008383 Owner Implicit Rights enforcement mode (new default). Only works with Windows Server 2008R2 and newer. |
I wrote a PowerShell functuon to resolve a given dsHeuristics value to a collection of objects.