LDAP Query only returning 1000

[GarethColes]

Afternoon All,

I'm fairly sure I'm being a bit daft about this one but I'm stumped so here we go.

I've got a script which we use to pull out lists of members of AD Groups. The problem is that we have some groups which have more than 1000 users in them and these are being truncated to only display 1000 users.

The code for this part of the script is
---------
do while oRS.EOF <> True

dim i

LeftGroup = Left(oRS.Fields("cn"), len(Match))

If Ucase(LeftGroup) = UCase(Match) Then
Set Group = GetObject("LDAP://CN=" & oRS.Fields("cn") & ", " & ADLocn)
WScript.Echo "LDAP://CN=" & oRS.Fields("cn") & ", " & ADLocn
For Each Item in Group.Member
i= i+1
Set User = GetObject("LDAP://" & item)
Name1 = Split(User.userPrincipalName, "@")
Name2 = Name1(0) & ";"
Output.WriteLine Name2
WScript.Echo Name2

Next

wscript.echo "i IS : " & i
End If

oRS.MoveNext

Loop
------------

I know that using RecordSets you can get back more than 1000 results, but how do I get the Group.Member bit to show all the results?

Is it possible to use a SQL command to get this back, in which case I could use a RecordSet and I'd be sorted?

Any help would be greatly appreciated.

Thanks

Gareth

 

[mrmovie]

i think it is something to do with the LDAP provider you are using.
by default when i guery ad and get a RS back i only get 1000 records unless i tell it otherwise.

i would try using the WinNT provider instead

GetOBject("WinNT://" & domain & "/" & groupname & ",group")

i think this might work.

if not, (i know its not as efficient) but you could bind to each user object and build your own collect/array/dictionary of group & user,,,silly suggestion perhaps

 

[billieT]

mrmovie is somewhat right, by default an AD query will only return 1000 records. But there is a workaround which will return multiple "pages" of 1000 records.

Here's the fix and discussion on the MS site:

http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug04/hey0824.mspx

 

[tsuji]

Hello GarethColes,

To overcome the limit using ado range, you can check out R Mueller's demo script enumgroup2 at

http://www.rlmueller.net/DocumentLargeGroup.htm

regards - tsuji

 

[CmdrKitsune]

I'd use the ADODB method of getting to the data. I routinely have to query on 50000+ objects. By adding the "Size Limit" property, I'm able to query all objects and get the full return.

Const ADS_SCOPE_SUBTREE = 8

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCOmmand.ActiveConnection = objConnection

objCommand.CommandText = _
"SELECT member " _
& "FROM 'LDAP://DC=mycompany,DC=com' " _
& "WHERE objectCategory='group' AND cn='mygroup'"

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 300
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
objCommand.Properties("Size Limit") = 75000

Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
arrMemberOf = objRecordSet.Fields("member").Value
For Each strMember in arrMemberOf
Set User = GetObject("LDAP://" & strMember)
Name1 = Split(User.userPrincipalName, "@")
Name2 = Name1(0) & ";"
WScript.Echo Name2
Next
objRecordSet.MoveNext
Loop

WScript.Quit

 

[billieT]

CmdrKitsune, that's almost exactly what it says in the Microsoft column I referenced above, except they say that the magic is in specifying Page Size rather than Size Limit (since the size is able to be unlimited