none
AD LDAP query sometimes fails to return group members RRS feed

  • Question

  • Hi!

    I need some help with Active Directory and LDAP query results.

    We use .NET and DirectorySearcher class to launch LDAP queries. Everything works fine for quite a few month now, users and groups (including member GUIDs) are all retrieved correctly, tested and used on many ADs.

    But: One of our users reported that the most important group he wanted to observe is always reported empty. The group actually has thousands of members. (For all other groups it works fine, they are reported with correct member list on the same machine.)

    The only difference we found so far is, that they use Windows Server 2008, while we officially support (and test with) Windows Server 2013+. Is that possible, that there is a difference for big groups between WS2013 and WS2008 in LDAP results?

    (the problematic group is otherwise a normal security group, with real, directly added members, it is not set as primary group for any users, etc. Extended features, paging, scope,  are all set on DirectorySearcher and works fine elsewhere )

    Thanks, in advance

    Friday, December 9, 2016 9:12 PM

Answers

  • If you are retrieving the member attribute of the group, some methods fail if there are more than 1500 entries in this multi-valued attribute. The limit was increased from 1000 to 1500 in Windows Server 2003, but I am not aware of further changes in Windows Server 2012 or later. But as I recall, you should get 1500 values before an error is raised. Maybe I am wrong on that point.

    If this is the problem, the fix is to use range retrieval. Another option is to query for all objects where the memberOf attribute includes the DN of the group. The later method does not have the 1500 limitation (as long as paging is enabled), as it only applies to retrieval of multi-valued attributes (not filtering).

    Edit: Documentation on range retrieval:

    https://msdn.microsoft.com/en-us/library/aa367017%28v=vs.85%29.aspx

    Edit: This article may also apply. New limits were introduced in Windows Server 2008, such as MaxValRange of 5000.

    https://support.microsoft.com/en-us/kb/2009267

    But per the article, range retrieval should overcome the limitation.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    • Edited by Richard MuellerMVP Friday, December 9, 2016 10:09 PM
    • Marked as answer by hevizi Friday, December 9, 2016 11:46 PM
    Friday, December 9, 2016 9:44 PM

All replies

  • If you are retrieving the member attribute of the group, some methods fail if there are more than 1500 entries in this multi-valued attribute. The limit was increased from 1000 to 1500 in Windows Server 2003, but I am not aware of further changes in Windows Server 2012 or later. But as I recall, you should get 1500 values before an error is raised. Maybe I am wrong on that point.

    If this is the problem, the fix is to use range retrieval. Another option is to query for all objects where the memberOf attribute includes the DN of the group. The later method does not have the 1500 limitation (as long as paging is enabled), as it only applies to retrieval of multi-valued attributes (not filtering).

    Edit: Documentation on range retrieval:

    https://msdn.microsoft.com/en-us/library/aa367017%28v=vs.85%29.aspx

    Edit: This article may also apply. New limits were introduced in Windows Server 2008, such as MaxValRange of 5000.

    https://support.microsoft.com/en-us/kb/2009267

    But per the article, range retrieval should overcome the limitation.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    • Edited by Richard MuellerMVP Friday, December 9, 2016 10:09 PM
    • Marked as answer by hevizi Friday, December 9, 2016 11:46 PM
    Friday, December 9, 2016 9:44 PM
  • Thank You, Richard, it seems your answer and the referred articles help me to move forward.
    Friday, December 9, 2016 11:46 PM