Security/Distribution Group Member.Count limit of 1000

[Terry E Dow]

Howdy,

I am having trouble with the objectCategory=group member.Count attribute.
I get one of three counts, a number between 1-999, no member (does not
contain member property), or 0. Using LDIFDE as a comparison I get the same
results. No members means just that, an empty group. Zero means that the
DirectorySearcher.SizeLimit has been exceeded.
http://msdn.microsoft.com/library/e...vicesDirectorySearcherClassSizeLimitTopic.asp
states:
....
Property Value
The maximum number of objects the server returns in a search. The default of
zero means to use the server-determined default size limit of 1000 entries.
Remarks
The server stops searching after the size limit is reached and returns the
results accumulated up to that point.
Note If you set SizeLimit to a value that is larger than the
server-determined default of 1000 entries, the server-determined default is
used.
....

My question is, what do I change on the server (domain controller) or
within Active Directory to increase the over-riding server-determined
default size limit of 1000? I tried the MS KB article (Controlling the
Active Directory Search Buffer Size
http://support.microsoft.com/?kbid=243281) Directory UI registry change to
noavail. We have alredy increased the NTDSUTIL's LDAP Policies to:
Policy Current(New)
MaxPoolThreads 8
MaxDatagramRecv 1024
MaxReceiveBuffer 10485760
InitRecvTimeout 120
MaxConnections 5000
MaxConnIdleTime 900
MaxActiveQueries 40
MaxPageSize 200000
MaxQueryDuration 120
MaxTempTableSize 10000
MaxResultSetSize 262144
MaxNotificationPerConn 5

 

[Richard Mueller [MVP]]

Hi,

You don't say what you are trying to do, or in what language, but in
VBScript you can use ADO and Range Limits to retrieve more than 1000 entries
in a multi-valued attribute, like the "member" attribute of a group object.
I have a sample VBScript program to enumerate group membership that uses
this technique linked on this page:

http://www.rlmueller.net/DocumentLargeGroup.htm

The technique is also described in Microsoft's "Windows 2000 Scripting
Guide", but the example is incomplete as it raises errors if there are fewer
than 1000 members left to retrieve.

As far as I know, there are not settings on the server to overcome this
limitation. I hope this helps.

 

[Joe Kaplan \(MVP - ADSI\)]

This is my generalized VB.NET range retrieval function. It returns the
attribute values in an ArrayList. You could easily modify it to use a
different container:

Protected Shared Function GetAllAttributeValues(ByVal entry As
DirectoryEntry, ByVal attributeName As String) As ArrayList
Dim propValues As PropertyValueCollection
Dim propValue As Object
Dim attributeValues As PropertyValueCollection
Dim values As ArrayList

Dim currentRange As String

Dim startCount As Integer
Dim endCount As Integer
Dim iteration As Integer

Dim increment As Integer = 1000
Dim expectedErrorCode As Integer = -2147016672



'This optimization reads the attributey directly if it
'contains less than 1000 values and returns an arraylist based
'on that. If we have 1000 values, we assume that there are
likely more than
'1000 values and we resort to the slower attribute ranging
method
'done below
entry.RefreshCache(New String() {attributeName})

attributeValues = entry.Properties(attributeName)
If attributeValues.Count < 1000 Then
Dim memberValue As Object
values = New ArrayList(attributeValues.Count)
For Each memberValue In attributeValues
values.Add(memberValue)
Next
values.TrimToSize()
Return values
End If

'here we go into ranging mode

values = New ArrayList(1000)

Do
startCount = iteration * increment
endCount = (iteration + 1) * increment - 1
'This is the attribute ranging method for retrieving the
contents of large attributes
currentRange = String.Format("{0};Range={1}-{2}",
attributeName, startCount, endCount)
'this will throw when the lower bound on the range is too
high
Try
entry.RefreshCache(New String() {currentRange})
Catch e As COMException 'I might check for the expected
hresult, but I don't know if I need to
Exit Do
End Try


'Get the values for for the current range of attributes
propValues = entry.Properties(attributeName)

For Each propValue In propValues
values.Add(propValue)
Next

iteration += 1
values.Capacity += increment

Loop

values.TrimToSize()
Return values
End Function

This should allow you to get full group membership in .NET (unless we are
talking about primary group membership which is done a different way).

Joe K.

Hi,

You don't say what you are trying to do, or in what language, but in
VBScript you can use ADO and Range Limits to retrieve more than 1000 entries
in a multi-valued attribute, like the "member" attribute of a group object.
I have a sample VBScript program to enumerate group membership that uses
this technique linked on this page:

http://www.rlmueller.net/DocumentLargeGroup.htm

The technique is also described in Microsoft's "Windows 2000 Scripting
Guide", but the example is incomplete as it raises errors if there are fewer
than 1000 members left to retrieve.

As far as I know, there are not settings on the server to overcome this
limitation. I hope this helps.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

Howdy,

I am having trouble with the objectCategory=group member.Count attribute.
I get one of three counts, a number between 1-999, no member (does not
contain member property), or 0. Using LDIFDE as a comparison I get the same
results. No members means just that, an empty group. Zero means that the
DirectorySearcher.SizeLimit has been exceeded.

http://msdn.microsoft.com/library/e...vicesDirectorySearcherClassSizeLimitTopic.asp

states:
...
Property Value
The maximum number of objects the server returns in a search. The

default

 

[Terry E Dow]

Richard,

Thanks for your quick response.

The purpose of this Active Directory administration tool was to build a
list of security/distribution groups within a domain, and return metrics
like the membership count. The administrators can use this report to clean
up their domain.

Thank you very much for your example code EnumGroup2.vbs. I can see that
you are using the RANGE flags in your LDAP query, and grabbing a 1000 at a
time. Unfortunately, unless you know otherwise, Visual Studio .Net 2003
System.DirectoryServices namespace does not natively support that particular
option. I'm writing this in C#, and everything was going so well, until I
ran into this limit. Odd that LDIFDE has the same limitation, and the
developers did not use your solution to get around it.

Perhaps I can mix your LDAP query syntax with C# via another provider than
ADSI or System.DirectoryServices.

--
Terry E Dow

Hi,

You don't say what you are trying to do, or in what language, but in
VBScript you can use ADO and Range Limits to retrieve more than 1000 entries
in a multi-valued attribute, like the "member" attribute of a group object.
I have a sample VBScript program to enumerate group membership that uses
this technique linked on this page:

http://www.rlmueller.net/DocumentLargeGroup.htm

The technique is also described in Microsoft's "Windows 2000 Scripting
Guide", but the example is incomplete as it raises errors if there are fewer
than 1000 members left to retrieve.

As far as I know, there are not settings on the server to overcome this
limitation. I hope this helps.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

Howdy,

I am having trouble with the objectCategory=group member.Count attribute.
I get one of three counts, a number between 1-999, no member (does not
contain member property), or 0. Using LDIFDE as a comparison I get the same
results. No members means just that, an empty group. Zero means that the
DirectorySearcher.SizeLimit has been exceeded.

http://msdn.microsoft.com/library/e...vicesDirectorySearcherClassSizeLimitTopic.asp

states:
...
Property Value
The maximum number of objects the server returns in a search. The

default

 

[Richard Mueller [MVP]]

Does Joe Kaplan's solution for .NET, posted after mine, help?

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

Richard,

Thanks for your quick response.

The purpose of this Active Directory administration tool was to build a
list of security/distribution groups within a domain, and return metrics
like the membership count. The administrators can use this report to clean
up their domain.

Thank you very much for your example code EnumGroup2.vbs. I can see that
you are using the RANGE flags in your LDAP query, and grabbing a 1000 at a
time. Unfortunately, unless you know otherwise, Visual Studio .Net 2003
System.DirectoryServices namespace does not natively support that particular
option. I'm writing this in C#, and everything was going so well, until I
ran into this limit. Odd that LDIFDE has the same limitation, and the
developers did not use your solution to get around it.

Perhaps I can mix your LDAP query syntax with C# via another provider than
ADSI or System.DirectoryServices.

--
Terry E Dow

Hi,

You don't say what you are trying to do, or in what language, but in
VBScript you can use ADO and Range Limits to retrieve more than 1000 entries
in a multi-valued attribute, like the "member" attribute of a group object.
I have a sample VBScript program to enumerate group membership that uses
this technique linked on this page:

http://www.rlmueller.net/DocumentLargeGroup.htm

The technique is also described in Microsoft's "Windows 2000 Scripting
Guide", but the example is incomplete as it raises errors if there are fewer
than 1000 members left to retrieve.

As far as I know, there are not settings on the server to overcome this
limitation. I hope this helps.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net

http://msdn.microsoft.com/library/e...vicesDirectorySearcherClassSizeLimitTopic.asp

default default
is

change