.NET Framework - Search.All in AD (LDAP) found exactly 1000 - is this a built in limit?

Asked By Bruce Sanderson

29-Aug-08 05:08 PM

I ran a script to list all computers in an Active Directory OU (or a child
OU) with their last password changed date.  This seems to work OK, but I got
exactly 1000 computer accounts listed.  I'm, pretty sure there are more than
1000 computer accounts, becuase some computer accounts are in OUs that don't
appear in the list.

Is there a built-in limit to how many items will be returned by an LDAP
query or that can be put into a Power Shell variable and if so, can this be
changed or is there some way to get the rest of the computer accouts?

Here's the script I'm using (I've changed the OU names):

$root=[ADSI]"LDAP://OU=Workstation
Computers,OU=Base,OU=mine,OU=ours,DC=domain,DC=local"
$search=[System.DirectoryServices.DirectorySearcher]$root
$Search.Filter="(&(objectcategory=computer))"
$result=$search.FindAll()
.\computers.txt

foreach ($Computer in $result)
{
$parts = $Computer.properties.distinguishedname -split ","
Foreach ($namepart in $parts)
{
$TypeName = $namepart -split "="
switch ($TypeName[0])
{
{
$OU = ""}
If (($TypeName[1] -eq "Base") -or ($TypeName[1] -eq
{Continue}
Else
{$OU=$TypeName[1], $OU -join "\"
}
}
}
$ComputerName = $Computer.properties.cn | out-string -stream
$pwdlastset =
[datetime]::FromFileTime($Computer.properties.item('pwdlastset')[0])
If ($pwdlastset -eq "31-Dec-1600 4:00:00 PM")
{$pwdlastset ="Never"}
$LastLogon =
[datetime]::FromFileTime($Computer.properties.item('lastLogonTimestamp')[0])
If ($LastLogon -eq "31-Dec-1600 4:00:00 PM")
{$LastLogon ="Never"}

}
-join ($ComputerName, "`t", $OU, "`t", $pwdlastset, "`t", $LastLogon) >>
.\computers.txt
}



--
Bruce Sanderson
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.

31-Aug-08 10:37 PM

On Aug 29, 11:08=A0pm, "Bruce Sanderson" <bsand...@newsgroups.nospam>
d
I got
than
n't
be
Name)
1] -eq
$OU)
ream
0]=AD)
gon) >>

You need $Search.PageSize =3D 1000

By default, the search returns a maximum of 1000 results to prevent
load on the domain controller executing the search. By setting
PageSize to anything, you in effect disable the limitation altogether.
You may ask why would you set PageSize to 1000, and here is the answer
taken from Tobias Weltner's Mastering PowerShell in your Lunch Break
(Day 6: ADSI Connecting to Domains/Computers and Binding to Objects)
(http://powershelllive.com/blogs/lunch/archive/2007/04/04/day-6-adsi-
connecting-to-domains-computers-and-binding-to-objects.aspx):

results in one chunk. If it gets larger than 1000 objects, the
internal limitation kicks in and cancels the search. You get
incomplete results.

If you do set a PageSize, then you get back the results in separate
chunks, each with the size defined in PageSize. So, as long as your
PageSize is smaller than or equal to 1000, the chunks will not trigger
the limitation, and you get all results. You can try and set PageSize
=3D 1. You still get all results. The results now come in chunks of
exactly one entry which slows down the search. The best way therefore
is to set PageSize to the maximum allowed size of 1000. This limit is
set in your AD schema and may have been changed to another value."

-aleksandar
http://powershellers.blogspot.com

02-Sep-08 02:03 PM

Thank you very much, both for the solution and the explanation!

That fixed the problem - I now get all 2,331 computer accounts.

--
Bruce Sanderson
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.


On Aug 29, 11:08 pm, "Bruce Sanderson" <bsand...@newsgroups.nospam>

You need $Search.PageSize = 1000

By default, the search returns a maximum of 1000 results to prevent
load on the domain controller executing the search. By setting
PageSize to anything, you in effect disable the limitation altogether.
You may ask why would you set PageSize to 1000, and here is the answer
taken from Tobias Weltner's Mastering PowerShell in your Lunch Break
(Day 6: ADSI Connecting to Domains/Computers and Binding to Objects)
(http://powershelllive.com/blogs/lunch/archive/2007/04/04/day-6-adsi-
connecting-to-domains-computers-and-binding-to-objects.aspx):

results in one chunk. If it gets larger than 1000 objects, the
internal limitation kicks in and cancels the search. You get
incomplete results.

If you do set a PageSize, then you get back the results in separate
chunks, each with the size defined in PageSize. So, as long as your
PageSize is smaller than or equal to 1000, the chunks will not trigger
the limitation, and you get all results. You can try and set PageSize
= 1. You still get all results. The results now come in chunks of
exactly one entry which slows down the search. The best way therefore
is to set PageSize to the maximum allowed size of 1000. This limit is
set in your AD schema and may have been changed to another value."

-aleksandar
http://powershellers.blogspot.com