Thanks, Brian. I had finally got someone to point me to ntdsutil - now I'm trying to make it work. The various on-line things from Microsoft aren't that informative. But at least I now know where to look.
jj John Thayer Jensen, System Administrator Computing Service, School of Business University of Auckland Room 256, 15 Wynyard Street voice: +64 9 373-7599 ext 87543 FAX: +64 9 373-7696 mobile: +64 21 049-7702 quickdial: 60001 http://staff.business.auckland.ac.nz/~j.jensen -----Original Message----- From: Johnson, Brian K [mailto:[EMAIL PROTECTED] Sent: Tuesday, 6 July 2004 2:15 p.m. To: Jensen, John T; [EMAIL PROTECTED] Subject: RE: Active Directory and LDAP sizelimit Hi, Windows 2000 AD has a default limit of 1000. I THINK you can change this with the ntdsutil.exe utility on a domain controller. This utility can be used to examine and set LDAP parameters in AD. I THINK that these settings are global for your entire forest. The Q article: http://support.microsoft.com/?kbid=271088 goes into detail as to how to use this utility. http://www.jsiinc.com/SUBJ/tip4600/rh4678.htm explains the units of the various AD LDAP parameters. Also, Active Directory supports paged searches....which is what I do to retrieve more than 1000 objects. Using paged controls I routinely retrieve 20-30K objects via a single query from my AD forest which has the default setting of 1000 for MaxPageSize. -----Original Message----- From: Jensen, John T [mailto:[EMAIL PROTECTED] Sent: Monday, July 05, 2004 3:40 PM To: [EMAIL PROTECTED] Subject: Active Directory and LDAP sizelimit From: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/h tml/vbtsksearchingactivedirectoryhierarchy.asp "The maximum number of entries to return by setting the SizeLimit property. Note If the maximum number of returned entries and TimeLimit properties exceed limitations set on the server, the server settings will override the component settings." If I set sizelimit in the Perl script to something LESS than 1000, that works. I get the smaller number of returns. If I set it to anything more, or to 0 (which is supposed to give unlimited returns), I can only get 1000. I believe Perl and Net::LDAP are working properly. I think the problem is this mysterious "limitations set on the server" that is stopping me. And I can't figure out how to change that. jj John Thayer Jensen, System Administrator Computing Service, School of Business University of Auckland Room 256, 15 Wynyard Street voice: +64 9 373-7599 ext 87543 FAX: +64 9 373-7696 mobile: +64 21 049-7702 quickdial: 60001 http://staff.business.auckland.ac.nz/~j.jensen -----Original Message----- From: Jensen, John T [mailto:[EMAIL PROTECTED] Sent: Tuesday, 6 July 2004 9:23 a.m. To: [EMAIL PROTECTED] Subject: RE: Scope=>'sub' not working?? Stranger and stranger. I just did a comparison of the two searches. The top-down one gets 265 out of 651 objects in the OU. I am beginning to suspect some limit on the number of returned objects allowed. I seem to recall once hitting a 1000-object limit on AD LDAP returns - which is killing for ADs of our size. jj John Thayer Jensen, System Administrator Computing Service, School of Business University of Auckland Room 256, 15 Wynyard Street voice: +64 9 373-7599 ext 87543 FAX: +64 9 373-7696 mobile: +64 21 049-7702 quickdial: 60001 http://staff.business.auckland.ac.nz/~j.jensen -----Original Message----- From: Jensen, John T Sent: Tuesday, 6 July 2004 8:34 a.m. To: [EMAIL PROTECTED] Subject: Scope=>'sub' not working?? I'm trying to search the whole of our AD for computer objects (using the Perl Net::LDAP module). I just put in as searchbase: my $searchbase='DC=com,DC=unet,DC=auckland,DC=ac,DC=nz'; Looking for computers so I put in: my $filter="(&(objectclass=User)(objectcategory=computer))"; I do a search: my $results=$ad->search(base=>$searchbase,filter=>$filter,attrs=>$attrs); (scope=>'sub' is supposed to be the default, but I have also tried with: my $results=$ad->search(base=>$searchbase,filter=>$filter,scope=>'sub',attr s=>$attrs); ) I don't get everything. If I put in a full OU: my $searchbase='OU=Staff Computers,OU=COM Computers,DC=com,DC=unet,DC=auckland,DC=ac,DC=nz'; I get objects under that OU. I haven't yet looked to see whether my scope=>'sub' search gets some of those computers or not. But I don't want to look under a particular OU; I want to look in the whole AD - one of the things I am looking for is computers that have got into the wrong location. jj John Thayer Jensen, System Administrator Computing Service, School of Business University of Auckland Room 256, 15 Wynyard Street voice: +64 9 373-7599 ext 87543 FAX: +64 9 373-7696 mobile: +64 21 049-7702 quickdial: 60001 http://staff.business.auckland.ac.nz/~j.jensen
