Can we limit the total number of search results returned?

We have 40,000 users and don't want them to be able to pull all the e-mail
addresses from AD. In iPlanet, we can limit the search results to 100
records. Is there an equivalent setting we can configure on the domain
controllers, without impacting normal functions?

Users may be connecting via LDAP and paging. I see we can limit page
results returned, but we want to limit the entire search results.

Currently we can track abuses by logging expensive queries and long running
queries, but we would rather be proactive than reactive.

 

There is a client side way to do that,
(http://support.microsoft.com/default.aspx?scid=kb;en-us;243281) but I was
thinking there was a server side way to do the same via ntdsutil. What has
me perplexed, is why you would want to do that.
I mean, why are you putting email addresses in the directory if you don't
want them read? Or is it just that you don't want the entire directory
pulled down at one time (presumably, 100 at a time is OK?).

Can you expand on why you would want to limit that number below the default
10,000?

 

It's called defaultPageSize or something like that - default is 1000 (hence
the 1000 users/group thing in S.DS I think).

--
--
Brian Desmond
Windows Server MVP
12.il.us

Http://www.briandesmond.com

 

Hi,

When using ADO to search AD, the Command object has a "Size Limit" property,
which is the number of records the domain controller will return before
completing the search. The default value is 1000. I was told by Microsoft
that increasing this limit on the client would have no affect because a
similar limit exists on the server. I was also told that the server-side
policy can be adjusted, but it was not recommended to increase it as it
affects performance.

The article linked below describes a group policy setting:

http://support.microsoft.com/default.aspx?scid=kb;en-us;243281

This article states that the default limit is 10,000 records. The help on
the policy says the same. It sounds like this setting is what you want.
Group Policy - User Configuration, Administrative Templates, Desktop, Active
Directory - "Maximum size of Active Directory searches".

 

The previous replies do apply, but you have to realize if you want to
protect your data, then the proper way of doing this is securing it
appropriately.

Page size affects only a single page size. If the client does a paged search
(and any self-respecting client does), then they can pull all of your data
page-by-page. We do not have the policy to limit the total number of entries
returned by a paged search. Even if we did, they would be able to pull
everything by running multiple searches like (username=a*), (username=b*),
etc.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

 

Thank you for confirming our research.