In large environments there are lots of objects in Active Directory. Querying the objects via LDAP is done by different third party applications to (for example) verify users. But sometimes these queries return an error with regard to the sizelimit and not all objects are returned.
This behavior may occur due to either of the two possible reasons, or both:
- Client Settings: the client which is used to query the LDAP database has a result size limit. This depends on which client is used.
- LDAP Server Settings: By default in Microsoft Active Directory the query limit is set to 1000 objects per request.
The parameter in Active Directory can be changed in different ways. It can be changed with the NTDSUtil.exe utility or with the ADSI Edit Snap-in.
The following LDAP entry needs to be changed.
CN=Default Query Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=YOUR_COMPANY, DC=YOUR_COMPANY_TLD
When using NTDSUtil.exe type the following :
connect to server servername
set maxpagesize to 5000
The setting is immediatly effective. If you use multiple sites you may need to force replication.
When using the ADSI Edit Snap-In, connect to the Configuration Naming context. Go to the LDAP entry given above and view the properties of CN=Default Query Policy. The following screen will appear:
Doubleclick on the lDapAdminLimits. Click on MaxPageSize and remove the entry. Change the entry as shown next :
Change the value of the entry to meet your needs, for example 3000. Click on Add and Ok and the entry is changed in Active Directory.
For more information on this subject see :
How to view and set LDAP policy in Active Directory by using Ntdsutil.exe
MaxPageSize is set too high