LDAP queries only returning 1000 resultsIf you use open-source solutions within your organisation the chances are that you are using LDAP to connect to your Windows Active Directory environment. LDAP is an open protocol that can be used to query Directory services, Microsoft’s Active Directory being just one.
In Windows Server 2008 and above Microsoft have limited the number of results returned to LDAP queries. In Windows Server 2003 ldap queries used to return unlimited results but this can put a strain on servers in larger environments. Instead Microsoft recommend using page queries within your LDAP enabled app, with each page of results limited to 5000 records.
The end result of this can be that you only see 1000 user records returned in your LDAP enabled app instead of the thousands you may have. Fret not though, this can be resolved with a small tweak using ADSIEdit.
Removing the LDAP query limit
Do this at your own risk
- On your AD server, install ADSIEdit, which is part of the Remote Server Administration Tools feature available within the Roles and Features tool on your server.
- Run ADSIEdit and right click the ADSIEdit node and choose Connect To.
- From the “Select a well known naming context” drop down choose Configuration. Click Ok.
- Right click on Directory Service which can be found under CN=Configuration, CN=Services, CN=Windows NT. Choose Properties.
- Click dSHeuristic, and then click Edit. Change the value 000000000100000001 and click Ok.
- Lastly either reboot the server or restart the “Active Directory Domain Services” service (also known as NTDS).