Beyond Active Directory’s Query Limitations

Active Directory’s Query Limitations

Active Directory has a limit on the amount of values it will return from a query on multi-valued attributes.  A query on a larger group’s “member” attribute, for example, will yield a maximum of 1500 results. If you google “active directory 1500 query limit” you’ll see a lot of results that talk about this limit.   It’s possible to extend this limit via group policy settings.  This is not recommended, however.  It’s better not to have queries consistently bring your domain controller to high CPU usage.

Range Retrieval is One Way Around This

To get around this limitation in Active Directory, one can use range retrieval. Microsoft documented this here: https://msdn.microsoft.com/en-us/library/Aa367017 .  Perform several ranged queries against Active Directory in an outer loop until you’ve covered the entire list using this technique.

Using System.DirectoryServices.Protocols

A better performing alternative is to use System.DirectoryServices.Protocols.  It’s faster performance is due to it being less of an abstraction on top of LDAP.  In addition, it’s your best chance on Windows to be LDAP directory independent– that is, not dependent on Active Directory.  The paged search option is a way to do large queries in this environment.  It’s described in this excellent overview from Microsoft:  https://msdn.microsoft.com/en-us/library/bb332056.aspx?f=255&MSPPError=-2147217396 .  You can control the number of pages you want to return and the size of a page (up to your group policy settings limit).

Comments are closed.

Sign in
classic
Forgot password?
×
Sign up

(*) Required fields

I agree with OptimaSales Terms & Privacy Policy

×