title: Active Directory - Supersonic and the directory searcher description: Active Directory LDAP has a limitation of returned values for searches. Here is a way to get around this problem, without touching any domain specific configurations slug: active-directory-searcher-limitations date: “2011-10-09T23:05:07+00:00” #image: aaa.jpg

tags:

  • “1000”
  • active-directory
  • directorysearcher
  • limit
  • objsearch
  • pagesize
  • powershell

Whats the difference between supersonic and the directory searcher? Nothing, because if you get over ~1000 you crash into a wall. :) Last week we had to deal with the limitations on the directory searcher. We performed a user search on an organizational unit (subtree) with more than 1000 users beneath. We where astonished that our userobject only contained 1000 items every time we did the search. I wrote a little test script in powershell to reproduce this behaviour and to see if this limitation is a C# problem or not.

So I wrote this script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


import-module activedirectory

$intCounter = 0

$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = ("(objectclass=user)")
$colResults = $objSearcher.FindAll()

foreach ( $objResult in $colResults ) {$intCounter = $intCounter + 1}
write-host "Found $intCounter entries"

As expected, powershell returned only 1000 objects. Then we tried to find out why and looked at the $objSearcher property list.

1

$objSearcher | get-member

$objSearcher | get-member Active Directory

As you can see, there are two interesting properties: sizelimit and pagesize. So I played around with these two properties and found some explanations for them. Sizelimit is the limit for the maximum returned results, but you can’t set this property above 1000. So I looked at the second property, pagesize. This property sets the maximum result items per returned page. So all you have to do is, set sizelimit to 0 and set pagesize to 1000 and you will get all of your items.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

import-module activedirectory

$intCounter = 0

$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.sizelimit = 0
$objSearcher.pagesize = 1000
$objSearcher.Filter = ("(objectclass=user)")
$colResults = $objSearcher.FindAll()

foreach ( $objResult in $colResults ) {$intCounter = $intCounter + 1}
write-host "Found $intCounter entries"

If you set pagesize to 1000 and expect more than 1000 returned items the active directory returns your first 1000 items, then pause for a split and returns the next x items and so on until all found items are returned. This property has a appreciable impact on your searchresult duration.

After some research I found some tutorials on how to increment these limitations in the active directory, but i don’t know what impact such a change would have, so i can live with the pagesize property ;)

Licensed under CC BY-NC-SA 4.0
comments powered by Disqus
© 2000 - 2024 Marco Di Feo
Developer / Inventor / Creator
Erstellt mit Hugo
Theme Stack gestaltet von Jimmy