LDAP Query not showing all users in group-URGENT Plz

A

astra1600cse

Hi
We are trying to use a ldap query off a AD Domain
controller to run an application.

What happens is the ldap query displays only a few users
in the group of about 6000 people. However if you look in
active directory users and computers snapin, all users
show listed.

It doesnt seem to be a rights issue as we have used an
admin account to do the query as well and it achieves the
same results.

Anybody got any ideas?
Running Windows 2000 Sp3 throughout.
 
J

Jerold Schulman

Hi
We are trying to use a ldap query off a AD Domain
controller to run an application.

What happens is the ldap query displays only a few users
in the group of about 6000 people. However if you look in
active directory users and computers snapin, all users
show listed.

It doesnt seem to be a rights issue as we have used an
admin account to do the query as well and it achieves the
same results.

Anybody got any ideas?
Running Windows 2000 Sp3 throughout.
Click to expand...


I don't know LDAP, but I suspect it has a object limit, just like the active
directory command line tool, dsquery.

"-limit <NumObjects> Specifies the number of objects matching the
given criteria to be returned, where <NumObjects>
is the number of objects to be returned.
If the value of <NumObjects> is 0, all
matching objects are returned. If this parameter
is not specified, by default the first
100 results are displayed."



Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
G

Guest

Hi

It doesnt seem to be, as other groups work fine. We are
using the Domain Users group ?

Would this have any effect ?
THanks
Bruce.
 
W

Wayne Tilton

Hi

It doesnt seem to be, as other groups work fine. We are
using the Domain Users group ?

Would this have any effect ?
THanks
Bruce.
Click to expand...

Domain Users is a special group in that it is the default Primary Group
for all users when added to the domain. Due to replciation issues in the
intial design of AD, a users primary group membership is not stored in
the group object but as the PrimaryGroupID attribute of the user object.
This gets around the issue of replicating large group memberships (since
Domain Users is empty).

Unless you have a really, really, really (really) good reason to change a
users Primary Group (and there usually aren't), Domain Users should be
empty.

Note that the same thing applies to computers and the Domain Computers
group and, if you had lots and lots of DC's, the Domain Controllers
group.

Hope that helps,

Wayne Tilton
 
J

Joe Richards [MVP]

You are most likely querying a group that is the primary group for a
majority of the users - probably domain users. This group, due to
limitations in W2K AD, is handled differently and the membership is NOT
maintained in the member attribute of the group. The group membership for
primary groups is actually kept in the user object as a RID in the
primaryGroupID field.

If you do a google search on that attribute on the adsi.general group you
will find several years of discussions about it there.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

LDAP not returning contents (users) in a container (group) from AD 1
LDAP query result sorting -> Change the order of AD DCs found in the list 2
Access to child domain via LDAP 1
AD LDAP query (Member of) 7
PBM: GetObject with LDAP syntax doesn't work 10
LDAP Query for "memberof" Attribute 1
Using AD to test for group membership 1
users have gray hair in Domain Users group 4

Top