Increasing the number of objects returned in a single LDAP query

by Shijaz Abdulla on 09.10.2008 at 16:33

By default, windows returns only a maximum of 1000 objects in response to a single LDAP query. This can be a limitation when you have more than 1000 objects in your Active Directory and you are running some kind of script that does a bulk import of objects (user accounts and/or computers) from Active Directory.

Some applications like Adobe Connect also require such bulk imports. If you find that the number of user accounts imported from Active Directory is exactly 1000 when you are sure there are more, its time to take a look at this.

The 1000-object limit is governed by the MaxPageSize LDAP administration limit, which is defined using NTDSUTIL. To increase the value:

  1. Open Command Prompt on a domain controller, logged in as domain administrator.
  2. Type NTDSUTIL and press ENTER.
  3. In the ntdsutil: prompt, type ldap policies
  4. In the ldap policy: prompt, type connections
  5. In the server connections: prompt, type connect to server <FQDN of domain controller>
  6. Once you are connected, type q to come back to the ldap policy: prompt.
  7. If you type show values, you can see the current value for the administration limits, including the MaxPageSize limit.
  8. To change the value to allow up to 30,000 objects to be returned in a single LDAP query, type set MaxPageSize to 30000
  9. You can view your changes by typing Show Changes. Note that the new values appear in brackets, because you have not yet commited your changes.
  10. To commit changes type commit changes

ntdsutil

Trackback Permanent Link

3 Responses to Increasing the number of objects returned in a single LDAP query

  1. Anonymous says:

    Hi

    2 notes here:

    1. Connect has been updated. The last 2 versions support LDAP paging, so that query results >1000 users can be supported without tweaking this setting.

    2. Our company's IT dept was advised by Microsoft that in the case of Active Directory, it is *not* recommended to increase this number >1000, as other apps may break.

  2. EhabT says:

    never noticed nor cared whether LDAP can return more than 1000 objects. cause the domains i administered were smaller than that.
    anyways i opened my virtual server (used for testing only) and created the following batch
    __________________
    @echo off
    set NUMBER_OF_ACCOUNTS=1010
    set BASE_NAME=EhabT
    set PASSWORD=p@ssw0rd123
    net group TestingGroup /comment:”This group is made just for testing” /add /domain
    FOR /L %%G IN (1,1,%NUMBER_OF_ACCOUNTS%) DO (
    net user %BASE_NAME%%%G %PASSWORD% /ADD /domain
    net group TestingGroup %BASE_NAME%%%G /ADD /DOMAIN)
    ____________________

    This batch i made for anybody who willing to test and see the MaxPageSize results before and after changing its default value

    again , thanks for your great shares buddy

  3. I wrote a C++ app that sets permissions on the users home folders to how we needed them done. In this case I had 1700 users. So, my app was only seeing the first 1000.

    This worked extremely well for what I needed.

    Keep up the great work!

Leave a Reply