You want to modify the minimum and default TTLs for dynamic objects.
In each solution below, I'll show how to set the DynamicObjectDefaultTTL setting to 172800. Modifying the DynamicObjectMinTTL can be done in the same manner.
Open ADSI Edit.
If an entry for the Configuration naming context is not already displayed, do the following:
Right-click on ADSI Edit in the right pane and click Connect to . . .
Fill in the information for the naming context for your forest. Click on the Advanced button if you need to enter alternate credentials.
In the left pane, browse to the following path under the Configuration naming context: Services Windows NT Directory Service.
Right-click cn=Directory Service and select Properties.
Edit the msDS-Other-Settings attribute.
Click on DynamicObjectDefaultTTL=<xxxxx> and click Remove.
The attribute/value pair should have been populated in the "Value to add" field.
Edit the number part of the value to be 172800.
Click OK twice.
The following ntdsutil command connects to <DomainControllerName>, displays the current values for the dynamic object TTL settings, sets the DynamicObjectDefaultTTL to 172800, commits the change, and displays the results:
> ntdsutil "config settings" connections "connect to server <DomainControllerName>"[RETURN] q "show values" "set DynamicObjectDefaultTTL to 172800" "commit changes" "show[RETURN] values" q q
' This code modifies the default TTL setting for dynamic objects in a forest ' ------ SCRIPT CONFIGURATION ------ strNewValue = 172800 'Could be DynamicObjectMinTTL instead if you wanted to set that instead strTTLSetting = "DynamicObjectDefaultTTL" ' ------ END CONFIGURATION --------- const ADS_PROPERTY_APPEND = 3 const ADS_PROPERTY_DELETE = 4 set objRootDSE = GetObject("LDAP://RootDSE") set objDS = GetObject("LDAP://CN=Directory Service,CN=Windows NT," & _ "CN=Services,CN=Configuration," & _ objRootDSE.Get("rootDomainNamingContext") for each strVal in objDS.Get("msDS-Other-Settings") Set objRegEx = New RegExp objRegEx.Pattern = strTTLSetting & "=" objRegEx.IgnoreCase = True Set colMatches = objRegEx.Execute(strVal) For Each objMatch in colMatches Wscript.Echo "Deleting " & strVal objDS.PutEx ADS_PROPERTY_DELETE, "msDS-Other-Settings", Array(strVal) objDS.SetInfo Next Next Wscript.Echo "Setting " & strTTLSetting & "=" & strNewValue objDS.PutEx ADS_PROPERTY_APPEND, _ "msDS-Other-Settings", _ Array(strTTLSetting & "=" & strNewValue) objDS.SetInfo
Two configuration settings apply to dynamic objects:
Defines the default TTL that is set for a dynamic object at creation time unless another one is set via entryTTL.
Defines the smallest TTL that can be configured for a dynamic object.
Unfortunately, these two settings are not stored as discrete attributes. Instead, they are stored as attribute-value-assertions (AVA) in the msDS-Other-Settings attribute on the cn=DirectoryServices,cn=WindowsNT,cn=Configuration,<ForestRootDN> object. AVAs are used occasionally in Active Directory on multivalued attributes, in which the values take the form of Setting1=Value1, Setting2=Value2, etc.
For this reason, you cannot simply manipulate AVA attributes as you would another attribute. You have to be sure to add or replace values with the same format, as they existed previously.
You can use ntdsutil in interactive mode or in single-command mode. In this solution, I've included all the necessary commands on a single line. You can, of course, step through each command by simply running ntdsutil in interactive mode and entering each command one by one.
Because we are dealing with AVAs, the VBScript solution is not very straightforward. Getting a pointer to the Directory Service object is easy, but then we must step through each value of the mSDS-Other-Settings attribute until we find the one we are looking for. The reason it is not straightforward is that we do not know the exact value of the setting we are looking for. All we know is that it begins with DynamicObjectDefaultTTL=. That is why it is necessary to resort to regular expressions. With a regular expression, we can compare each value against DefaultObjectDefaultTTL= and if we find a match, delete that value only. After we've iterated through all of the values and hopefully deleted the one we are looking for, we append the new setting using PutEx. Simple as that!
Recipe 4.11 for modifying an object and MSDN: Regular Expression (RegExp) Object