Well, long and short of it is that by default Microsoft has capped the Active Directory searching to 1000 objects. This means that if you are attempting to read a large domain, you won't be able to get it all at once.
There are two ways to address this, one is by modifying the search limit in the Active Directory container properties, of course only a domain admin or above can do this. Not a great option if you are a developer with no control on the AD side of things. The second way is to add a key to the registry. Now, I found this information on another website, but I don't seem to have the URL. I did find an additional way to make this work.
The article references changing the HKEY_CURRENT_USER.... hive. While this would affect the current user, it does not necessarily affect the user that ASP.NET is running as to access AD. Yes, you could find the user and modify the key but why do that. For us, our web servers are the ones accessing AD. What we found is that if you add the following to the HKEY_LOCAL_MACHINE.... it works just as well and will be good for anything running on that machine.
As you can imagine, this information is provided as just that. I/we take no responsibility for any damages arising from use of this or any other information on this site. Do NOT use this in production environments, etc....
Start regedit.
Go to the
HKEY_CURRENT_USER\Software\Policies\Microsoft
registry entry.
From the Edit menu, select New, Key.
Enter
Windows
Select the Windows key, and from the Edit menu, select New, Key.
Enter
Directory UI
Go to the Directory UI key, and from the Edit menu, select New, DWORD Value.
Enter
QueryLimit
and press Enter.
Double-click the new value, and set the decimal value.
Click OK.
Close the registry editor.
An example of code is below:
Dim root As New DirectoryEntry(strRootForest)
SetADsSecurity(root)
Dim searcher As New System.DirectoryServices.DirectorySearcher(root)
searcher.SizeLimit = 5000
searcher.PageSize = 1000
searcher.ClientTimeout = System.TimeSpan.FromMinutes(10)
searcher.ServerTimeLimit = System.TimeSpan.FromMinutes(10)
searcher.ServerPageTimeLimit = System.TimeSpan.FromMinutes(10)
searcher.SearchScope = SearchScope.Subtree
searcher.ReferralChasing = ReferralChasingOption.All
searcher.PropertiesToLoad.AddRange(LoadProps)
searcher.Filter = ADsFilter
Dim search As SearchResultCollection = searcher.FindAll
Return search
Now, no matter what you set the SEARCHER.SIZELIMIT, if you set it above the AD or reg key search limit, this setting does not do anything. You are still limited to the AD of reg key limit. So, in conclusion, the SizeLimit attribute is only usable is set to the same or less than the current AD or Reg Key search limit.
Whew! It took a while but thought I would share so you may be able to not go through the headache I did on this. ;)
No comments:
Post a Comment