Can we limit the total number of search results returned?

Discussion in 'Active Directory' started by Eric Chamberlain, Apr 18, 2004.

  1. We have 40,000 users and don't want them to be able to pull all the e-mail
    addresses from AD. In iPlanet, we can limit the search results to 100
    records. Is there an equivalent setting we can configure on the domain
    controllers, without impacting normal functions?

    Users may be connecting via LDAP and paging. I see we can limit page
    results returned, but we want to limit the entire search results.

    Currently we can track abuses by logging expensive queries and long running
    queries, but we would rather be proactive than reactive.
     
    Eric Chamberlain, Apr 18, 2004
    #1
    1. Advertisements

  2. Eric Chamberlain

    Al Mulnick Guest

    There is a client side way to do that,
    (http://support.microsoft.com/default.aspx?scid=kb;en-us;243281) but I was
    thinking there was a server side way to do the same via ntdsutil. What has
    me perplexed, is why you would want to do that.
    I mean, why are you putting email addresses in the directory if you don't
    want them read? Or is it just that you don't want the entire directory
    pulled down at one time (presumably, 100 at a time is OK?).

    Can you expand on why you would want to limit that number below the default
    10,000?
     
    Al Mulnick, Apr 18, 2004
    #2
    1. Advertisements

  3. It's called defaultPageSize or something like that - default is 1000 (hence
    the 1000 users/group thing in S.DS I think).

    --
    --
    Brian Desmond
    Windows Server MVP
    12.il.us

    Http://www.briandesmond.com
     
    Brian Desmond [MVP], Apr 19, 2004
    #3
  4. Hi,

    When using ADO to search AD, the Command object has a "Size Limit" property,
    which is the number of records the domain controller will return before
    completing the search. The default value is 1000. I was told by Microsoft
    that increasing this limit on the client would have no affect because a
    similar limit exists on the server. I was also told that the server-side
    policy can be adjusted, but it was not recommended to increase it as it
    affects performance.

    The article linked below describes a group policy setting:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;243281

    This article states that the default limit is 10,000 records. The help on
    the policy says the same. It sounds like this setting is what you want.
    Group Policy - User Configuration, Administrative Templates, Desktop, Active
    Directory - "Maximum size of Active Directory searches".
     
    Richard Mueller [MVP], Apr 19, 2004
    #4
  5. The previous replies do apply, but you have to realize if you want to
    protect your data, then the proper way of doing this is securing it
    appropriately.

    Page size affects only a single page size. If the client does a paged search
    (and any self-respecting client does), then they can pull all of your data
    page-by-page. We do not have the policy to limit the total number of entries
    returned by a paged search. Even if we did, they would be able to pull
    everything by running multiple searches like (username=a*), (username=b*),
    etc.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Apr 19, 2004
    #5
  6. Thank you for confirming our research.

     
    Eric Chamberlain, Apr 21, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.