Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

10,000 Search Problem in W2K

105 views
Skip to first unread message

Tim Julian

unread,
Jun 14, 2004, 4:38:19 PM6/14/04
to
We have over 15,000 users in AD in W2K.

I need to do generic searches.

It blows up when it hits 10,000.

How can I over come this barrier?

We are planning for up to 100,000 users.

Dmitri Gavrilov [MSFT]

unread,
Jun 14, 2004, 4:42:32 PM6/14/04
to
What blows up?

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Tim Julian" <Tim.J...@hsc.utah.edu> wrote in message
news:u#feI#kUEHA...@TK2MSFTNGP10.phx.gbl...

Tim Julian

unread,
Jun 14, 2004, 5:17:33 PM6/14/04
to
As I had previously stated, we have over 15,000 users.

When I click on the domain and say "find", I receive the following message:

X : "The number of objects found exceeds the maximum allowed. Please refine your search."

We have a billion OUs, and I need to search across the entire domain.

It always blows up at 10,000 users. (it counts while it is searching)

How can I fix this 10,000 object limit?

Simon Geary

unread,
Jun 14, 2004, 5:27:49 PM6/14/04
to
The default search size is 10,000 but you can change this by following the
instructions in this kb. The Group Policy method is the best one to use.
http://support.microsoft.com/?id=243281

"Tim Julian" <Tim.J...@hsc.utah.edu> wrote in message

news:u%23feI%23kUEH...@TK2MSFTNGP10.phx.gbl...

Dmitri Gavrilov [MSFT]

unread,
Jun 14, 2004, 7:09:12 PM6/14/04
to
Oh, I see. This "Find" dialog is certainly not the best way to manage your
users, especially when you have that many. Consider using AD Users&Computers
snapin that allows browsing by OU and as well as doing searches. Why would
you need to see the list of all of your users at once?

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Tim Julian" <Tim.J...@hsc.utah.edu> wrote in message

news:ekoNEUlU...@TK2MSFTNGP12.phx.gbl...

Tim Julian

unread,
Jun 15, 2004, 11:54:13 AM6/15/04
to
Dmitri,

I need to quicky find all the number of users I have in a particular domain.

We have large amounts of users in many domains.

The number is very dynamic. Management asks for these numbers daily.

I will turn to the original question:

How do I turn off the 10,000 object limit in AD?

If you do not know, could you point me to someone who does?

Thanks for the support,

Let me know,

Tim Julian.

Tim Julian

unread,
Jun 15, 2004, 11:59:14 AM6/15/04
to
This is exactly what we needed!

Thanks!

Dmitri Gavrilov [MSFT]

unread,
Jun 15, 2004, 12:16:32 PM6/15/04
to
If you need to count the users, then you need to write a script that does
this. It should be pretty straight-forward to write one. Sorry, can't give
you a sample, I am not an ADSI guy. If you need one, post a request on
microsoft.public.active.directory.interfaces.

Also take a look at DSASTAT tool.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Tim Julian" <Tim.J...@hsc.utah.edu> wrote in message

news:#cFhDEvU...@tk2msftngp13.phx.gbl...

Joe Richards [MVP]

unread,
Jun 18, 2004, 9:41:49 AM6/18/04
to
Oh i fyou have more than say 1000 or so users in your domain, the GUI isn't the
place you should be as it is mostly inefficient. You should be doing things in
command line. Check out MS tools like DSQUERY, DSADD, DSRM, etc...

Also check out my web site for a bunch of free win32 tools. I have had several
jobs managing domains with a couple of hundred thousand users.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Al Mulnick

unread,
Jun 18, 2004, 10:10:55 AM6/18/04
to
Additionally, having "a billion" OU's is not a best practice if they're too
deep. Makes things slower. You want to keep OU's to around 5 deep if you
can.

As Joe says, command line is much faster. I HIGHLY recommend ADFIND on his
website. It's been a good tool for me so far. :)

"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:%23SLRsmT...@TK2MSFTNGP09.phx.gbl...

Tim Julian

unread,
Jun 21, 2004, 4:44:14 PM6/21/04
to
OK Joe,

I downloaded your adfind.

It is very austere to use.

The comments and the examples of use, were at best, lacking... ( at least to a neophite within the LDAP world)

How do I use adfind -c ....... to find all groups, or computers, or users within a domain called, say, dom1?

Also, what is a good reference for LDAP, that would start at the beginning to have good connectivity to AD?


Joe Richards [MVP]

unread,
Jun 27, 2004, 12:30:26 PM6/27/04
to
Not so austere as most ldap query tools and more austere than others. It does
assumes a knowledgable admin. You will find it to be one of the more popular
Active Directory LDAP query tools out there due to its flexibility and
functionality in comparison to other command line tools such as dsquery,
ldapsearch, search.vbs, etc.

There are tons of books and web sites on LDAP, simply search the web. You can
actually look at the RFCs if you would like and ADFIND specifies in the help the
RFCs that it follows. You can also check out

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/efficientadapps.asp


Focus on the LDAP queries and such, not the code. ADFIND does that stuff for you.


Basically with LDAP you have to specify a couple of things for a search.

Search Base: Where in the LDAP directory do you want to start your search.

Search Scope: How deep do you want to search. The scopes are:
Base: The base is the only object you want to check
One: Only check the child level of the base (basically everything one level below).
Subtree: Everything under the base.

Search Filter: What it is you want to find.

Attributes: What attributes to return. By default most tools will do * which
means everything the LDAP Server will by default return. There are usually
additional attributes that can be returned but you have to ask specifically for
them.

So if you want to find all groups in a domain called dom1, assuming the real
domain name is dom1.com you would do

adfind -b dc=dom1,dc=com -f "(objectcategory=group)"

This would dump all attributes of all group objects in your domain.

If you wanted to do the same for computers you would do

adfind -b dc=dom1,dc=com -f "(objectcategory=computer)"


If you wanted the same for users you would do

adfind -b dc=dom1,dc=com -f "&(objectcategory=person)(objectclass=user)"


for contacts

adfind -b dc=dom1,dc=com -f "&(objectcategory=person)(objectclass=contacts)"


If you only wanted groups and group memberships

adfind -b dc=dom1,dc=com -f "(objectcategory=group)" member


This tells adfind to grab all groups and display the member attribute.


Note ADFIND has lots of other switches to display data in different ways. You
can tell it to give you statistics info for the query, you can tell it to
display deleted object, you can tell it to decode the common time formats, you
can tell it to decode Security Descriptors, etc. By default it will decode GUIDS
and SIDS.

If you want to check a global catalog instead of a regular domain controller you
can add the switch -GC which changes the port the program queries.

Here is an example output of a single user who is Exchange email enabled:

[Sun 06/27/2004 12:26:30.07]
C:\WINDOWS>adfind -default -f "(name=postmaster)" -tdc

AdFind V01.17.00cpp Joe Richards (j...@joeware.net) May 2004

Using server: 2k3dc01.joe.com
Base DN: DC=joe,DC=com

dn:CN=postmaster,OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=com
>mDBUseDefaults: TRUE
>msExchALObjectVersion: 47
>homeMDB: CN=DB1,CN=SG2,CN=InformationStore,CN=2K3EXC01,CN=Servers,CN=First
Administrative Group,CN=Administrative Groups,CN=joeware,CN=Microsoft
Exchange,CN=Services,CN=Configurat
ion,DC=joe,DC=com
>homeMTA: CN=Microsoft MTA,CN=2K3EXC01,CN=Servers,CN=First Administrative
Group,CN=Administrative Groups,CN=joeware,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=joe,DC=com

>msExchUserAccountControl: 0
>msExchPoliciesIncluded:
{3A872370-0BE8-441A-B275-69F9B3FC83A9},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
>msExchMailboxGuid: {5061791B-6D9F-4415-8E3A-5E35B0EB4215}
>msExchHomeServerName: /o=joeware/ou=First Administrative
Group/cn=Configuration/cn=Servers/cn=2K3EXC01
>msExchMailboxSecurityDescriptor: {Security Descriptor}
>mailNickname: postmaster
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: postmaster
>givenName: postmaster
>distinguishedName:
CN=postmaster,OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040613012302.0Z
>whenChanged: 20040625234707.0Z
>displayName: postmaster
>uSNCreated: 21465
>uSNChanged: 21569
>proxyAddresses: smtp:postm...@joe.com
>proxyAddresses: SMTP:postm...@joeware2.net
>proxyAddresses: smtp:ab...@joeware2.net
>proxyAddresses: X400:c=US;a= ;p=joeware;o=Exchange;s=postmaster;
>name: postmaster
>objectGUID: {FAEBBF9C-AB47-42D7-9CFD-38CF6E1BC30F}
>userAccountControl: 512
>codePage: 0
>countryCode: 0
>pwdLastSet: 06/12/2004-21:23:02
>primaryGroupID: 513
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1678
>accountExpires: 00/00/0000-00:00:00
>sAMAccountName: postmaster
>sAMAccountType: 805306368
>showInAddressBook: CN=Default Global Address List,CN=All Global Address
Lists,CN=Address Lists Container,CN=joeware,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=joe,DC=co
m
>showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists
Container,CN=joeware,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=joe,DC=com
>legacyExchangeDN: /o=joeware/ou=First Administrative
Group/cn=Recipients/cn=postmaster
>userPrincipalName: postm...@joe.com
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
>lastLogonTimestamp: 127316443324000032
>textEncodedORAddress: c=US;a= ;p=joeware;o=Exchange;s=postmaster;
>mail: postm...@joeware2.net


1 Objects returned

[Sun 06/27/2004 12:26:40.98]
C:\WINDOWS>

If I just wanted the user's email address I could have done this instead:


[Sun 06/27/2004 12:27:42.11]
C:\WINDOWS>adfind -default -f "(name=postmaster)" mail

AdFind V01.17.00cpp Joe Richards (j...@joeware.net) May 2004

Using server: 2k3dc01.joe.com
Base DN: DC=joe,DC=com

dn:CN=postmaster,OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=com
>mail: postm...@joeware2.net


1 Objects returned

[Sun 06/27/2004 12:27:48.98]
C:\WINDOWS>

If I wanted the last time he changed the password it would be

[Sun 06/27/2004 12:27:48.98]
C:\WINDOWS>adfind -default -f "(name=postmaster)" pwdlastset

AdFind V01.17.00cpp Joe Richards (j...@joeware.net) May 2004

Using server: 2k3dc01.joe.com
Base DN: DC=joe,DC=com

dn:CN=postmaster,OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=com
>pwdLastSet: 127315633823996192


1 Objects returned

[Sun 06/27/2004 12:28:17.32]
C:\WINDOWS>

Oops however that is in the raw format which needs to be decoded so instead
adfind can do:


[Sun 06/27/2004 12:28:17.32]
C:\WINDOWS>adfind -default -f "(name=postmaster)" pwdlastset -tdc

AdFind V01.17.00cpp Joe Richards (j...@joeware.net) May 2004

Using server: 2k3dc01.joe.com
Base DN: DC=joe,DC=com

dn:CN=postmaster,OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=com
>pwdLastSet: 06/12/2004-21:23:02


1 Objects returned

[Sun 06/27/2004 12:28:46.22]
C:\WINDOWS>


joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

0 new messages