安全/分发组成员.Count限制为1000 [英] Security/Distribution Group Member.Count limit of 1000
本文介绍了安全/分发组成员.Count限制为1000的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
你好,
我在使用objectCategory = group member.Count属性时遇到问题。
我得到三个计数之一,一个介于1之间的数字-999,没有成员(没有
包含成员属性),或者0.使用LDIFDE作为比较我得到相同的
结果。没有成员就是那个空组。零表示已超出
DirectorySearcher.SizeLimit。
http://msdn.microsoft.com/library/en...LimitTopic.asp
声明:
....
属性值
服务器在搜索中返回的最大对象数。默认值
零表示使用服务器确定的1000个条目的默认大小限制。
备注
服务器在大小后停止搜索达到限制并返回到此时累积的
结果。
注意如果将SizeLimit设置为大于
的值服务器确定的默认值为1000个条目,服务器确定的默认值为
使用。
....
我的问题是什么,我在Active Directory中更改服务器(域控制器)或
以增加服务器确定的覆盖范围
默认大小限制为1000?我尝试了MS KB文章(控制
Active Directory搜索缓冲区大小
http://support.microsoft.com/?kbid=243281 )目录UI注册表更改为
noavail。我们已经将NTDSUTIL的LDAP策略增加到:
政策当前(新)
MaxPoolThreads 8
MaxDatagramRecv 1024
MaxReceiveBuffer 10485760
InitRecvTimeout 120
MaxConnections 5000
MaxConnIdleTime 900
MaxActiveQueries 40
MaxPageSize 200000
MaxQueryDuration 120
MaxTempTableSize 10000
MaxResultSetSize 262144
MaxNotificationPerConn 5
-
Terry E Dow
解决方案
你不会说你想要做什么,或用什么语言,但在
VBScript中你可以使用ADO和Range Limits来检索超过1000个条目
在多值属性中,如member组对象的属性。
我有一个示例VBScript程序来枚举使用
这个技术链接的组成员身份:
< a rel =nofollowhref =http://www.rlmueller.net/DocumentLargeGroup.htmtarget =_ blank> http://www.rlmueller.net/DocumentLargeGroup.htm
该技术也在微软的Windows 2000 Scripting
指南中有描述,但该示例不完整,因为如果
还剩下1000个成员要检索。
据我所知,服务器上没有设置来克服这个
限制。我希望这会有所帮助。
-
Richard
Microsoft MVP脚本和ADSI
HilltopLab网站 - http://www.rlmueller.net
-
" Terry E Dow" <碲****** @ verizon.neXt>在消息中写道
新闻:%2 **************** @ TK2MSFTNGP12.phx.gbl ...你好,
我遇到了objectCategory = group member.Count
属性的问题。我得到三个计数之一,1-999之间的数字,没有成员(不包含成员属性)或0.使用LDIFDE作为比较我得到
相同的结果。没有成员就是那个空组。零表示已超出
DirectorySearcher.SizeLimit。
http://msdn.microsoft.com/library/en...LimitTopic.asp 声明:
...
属性值
服务器在搜索中返回的最大对象数。默认的
为零意味着使用服务器确定的默认大小限制为1000
条目。备注
服务器在达到大小限制后停止搜索并返回累积到该点的
结果。
注意如果将SizeLimit设置为大于
的值服务器确定的默认值为1000个条目,使用服务器确定的默认值
。
...
我的问题是,我在服务器上更改了什么(域控制器)或者在Active Directory中增加超越服务器确定的默认大小限制为1000?我尝试了MS KB文章(控制Active Directory搜索缓冲区大小
http://support.microsoft.com/?kbid=243281 )目录UI注册表更改为
noavail。我们已经将NTDSUTIL的LDAP策略增加到:
策略当前(新)
MaxPoolThreads 8
MaxDatagramRecv 1024
MaxReceiveBuffer 10485760
InitRecvTimeout 120
MaxConnections 5000
MaxConnIdleTime 900
MaxActiveQueries 40
MaxPageSize 200000
MaxQueryDuration 120
MaxTempTableSize 10000
MaxResultSetSize 262144
MaxNotificationPerConn 5
-
Terry E Dow
这是我的通用VB.NET范围检索功能。它返回ArrayList中的
属性值。您可以轻松修改它以使用
不同的容器:
受保护的共享函数GetAllAttributeValues(ByVal条目为
DirectoryEntry,ByVal attributeName As String)As ArrayList
Dim propValues As PropertyValueCollection
Dim propValue As Object
Dim attributeValues As PropertyValueCollection
Dim值As ArrayList
Dim currentRange As String
Dim startCount As Integer
Dim endCount As Integer
Dim iteration As Integer
Dim increment As Integer = 1000
Dim expectedErrorCode As Integer = -2147016672
>
''这个优化直接读取属性,如果它'/ b $ b''包含少于1000个值并返回一个基于arra>
''的arraylist。如果我们有1000个值,我们假设
可能超过
''1000个值,我们采用较慢的属性范围
方法
''在下面完成
entry.RefreshCache(New String(){attributeName})
attributeValues = entry.Properties (attributeName)
如果attributeValues.Count< 1000然后
Dim memberValue As Object
values = New ArrayList(attributeValues.Count)
For Each memberValue in attributeValues
values.Add(memberValue)
下一页
values.TrimToSize()
返回值
结束如果
''这里我们进入测距模式
values = New ArrayList(1000)
请
startCount =迭代*增量
endCount =(迭代+ 1)*增量 - 1
''这是属性测距方法用于检索大型属性的
内容
currentRange = String.Format(" {0}; Range = {1} - {2}",
attributeName,startCount,endCount)
''当范围的下限太大时会抛出
high
尝试
entry.RefreshCache(New String(){currentRange})
Catch e As COMException''我可能会检查预期的
hresult ,但我不知道不知道我是否需要
退出运行
结束尝试
''获取当前属性范围的值
propValues = entry.Properties(attributeName)
每个propValue in propValues
values.Add(propValue)
下一页
迭代+ = 1
values.Capacity + =增量
循环
values.TrimToSize()
返回值
结束功能
这应该允许你在.NET中获得完整的团体会员资格(除非我们
谈论主要的团体会员资格,这是以不同的方式完成的)。
Joe K.
Richard Mueller [MVP]" < RL ************** @ ameritech.NOSPAM.net>写在
消息新闻:ew ************* @tk2msftngp13.phx.gbl ...
你不会说你想要做什么,或用什么语言,但在VBScript中,你可以使用ADO和Range Limits来检索超过1000个
的条目。有价值的属性,如成员组
对象的属性。我有一个示例VBScript程序来枚举使用此页面链接的组成员资格:
http://www.rlmueller.net/DocumentLargeGroup.htm
该技术也在微软的Windows 2000中有所描述。脚本
指南,但示例是不完整的,因为如果有
少于1000个成员要检索,它会引发错误。
据我所知,没有设置在服务器上克服这个限制。我希望这会有所帮助。
-
Richard
Microsoft MVP脚本和ADSI
HilltopLab网站 - http://www.rlmueller.net
-
Terry E Dow <碲****** @ verizon.neXt>在消息中写道
新闻:%2 **************** @ TK2MSFTNGP12.phx.gbl ...你好,
我遇到了objectCategory = group member.Count属性的问题。我得到三个计数之一,1-999之间的数字,没有成员(不包含
成员属性),或0.使用LDIFDE作为比较我得到
相同的结果。没有成员就是那个空组。零意味着
已超过DirectorySearcher.SizeLimit。
http://msdn.microsoft.com/library/en...LimitTopic.asp状态:
...
属性值
服务器在搜索中返回的最大对象数。0的
默认值表示使用服务器确定的默认大小限制为1000
条目。备注
服务器在达到大小限制后停止搜索并返回
到目前为止累积的结果。
注意如果将SizeLimit设置为一个值大于服务器确定的1000个条目的默认值,服务器确定的默认值
是使用。
...
我的问题是,我在Active Directory中如何更改服务器(域控制器)或
以增加服务器确定的上限?默认大小限制为1000?我尝试了MS KB文章(控制Active Directory搜索缓冲区大小
http://support.microsoft.com/?kbid=243281 )目录UI注册表将
更改为noavail。我们已经将NTDSUTIL的LDAP策略增加到:
策略当前(新)
MaxPoolThreads 8
MaxDatagramRecv 1024
MaxReceiveBuffer 10485760
InitRecvTimeout 120
MaxConnections 5000
MaxConnIdleTime 900
MaxActiveQueries 40
MaxPageSize 200000
MaxQueryDuration 120
MaxTempTableSize 10000
MaxResultSetSize 262144
MaxNotificationPerConn 5
-
Terry E Dow
Richard,
感谢您的快速回复。
此Active Directory管理工具的目的是构建一个
安全/通讯组列表在域内,和返回指标
就像会员数一样。管理员可以使用此报告来清理他们域中的
。
非常感谢您的示例代码EnumGroup2.vbs。我可以看到
您在LDAP查询中使用RANGE标记,并在
时间内获取1000。不幸的是,除非你另有所知,否则Visual Studio .Net 2003
System.DirectoryServices命名空间本身不支持该特定的
选项。我正在用C#写这个,一切都进展得很顺利,直到我确定
遇到这个限制。奇怪的是,LDIFDE具有相同的限制,并且
开发人员没有使用您的解决方案来解决它。
也许我可以将您的LDAP查询语法与C#通过另一个提供商而不是
ADSI或System.DirectoryServices。
-
Terry E Dow
" Richard Mueller [MVP]" < RL ************** @ ameritech.NOSPAM.net>写在
消息新闻:ew ************* @tk2msftngp13.phx.gbl ...
你不会说你想要做什么,或用什么语言,但在VBScript中,你可以使用ADO和Range Limits来检索超过1000个
的条目。有价值的属性,如成员组
对象的属性。我有一个示例VBScript程序来枚举使用此页面链接的组成员资格:
http://www.rlmueller.net/DocumentLargeGroup.htm
该技术也在微软的Windows 2000中有所描述。脚本
指南,但示例是不完整的,因为如果有
少于1000个成员要检索,它会引发错误。
据我所知,没有设置在服务器上克服这个限制。我希望这会有所帮助。
-
Richard
Microsoft MVP脚本和ADSI
HilltopLab网站 - http://www.rlmueller.net
-
Terry E Dow <碲****** @ verizon.neXt>在消息中写道
新闻:%2 **************** @ TK2MSFTNGP12.phx.gbl ...你好,
我遇到了objectCategory = group member.Count属性的问题。我得到三个计数之一,1-999之间的数字,没有成员(不包含
成员属性),或0.使用LDIFDE作为比较我得到
相同的结果。没有成员就是那个空组。零意味着
已超过DirectorySearcher.SizeLimit。
http://msdn.microsoft.com/library/en...LimitTopic.asp状态:
...
属性值
服务器在搜索中返回的最大对象数。0的
默认值表示使用服务器确定的默认大小限制为1000
条目。备注
服务器在达到大小限制后停止搜索并返回
到目前为止累积的结果。
注意如果将SizeLimit设置为一个值大于服务器确定的1000个条目的默认值,服务器确定的默认值
是使用。
...
我的问题是,我在Active Directory中如何更改服务器(域控制器)或
以增加服务器确定的上限?默认大小限制为1000?我尝试了MS KB文章(控制Active Directory搜索缓冲区大小
http://support.microsoft.com/?kbid=243281 )目录UI注册表将
更改为noavail。我们已经将NTDSUTIL的LDAP策略增加到:
策略当前(新)
MaxPoolThreads 8
MaxDatagramRecv 1024
MaxReceiveBuffer 10485760
InitRecvTimeout 120
MaxConnections 5000
MaxConnIdleTime 900
MaxActiveQueries 40
MaxPageSize 200000
MaxQueryDuration 120
MaxTempTableSize 10000
MaxResultSetSize 262144
MaxNotificationPerConn 5
-
Terry E Dow
Howdy,
I am having trouble with the objectCategory=group member.Count attribute.
I get one of three counts, a number between 1-999, no member (does not
contain member property), or 0. Using LDIFDE as a comparison I get the same
results. No members means just that, an empty group. Zero means that the
DirectorySearcher.SizeLimit has been exceeded.
http://msdn.microsoft.com/library/en...LimitTopic.asp
states:
....
Property Value
The maximum number of objects the server returns in a search. The default of
zero means to use the server-determined default size limit of 1000 entries.
Remarks
The server stops searching after the size limit is reached and returns the
results accumulated up to that point.
Note If you set SizeLimit to a value that is larger than the
server-determined default of 1000 entries, the server-determined default is
used.
....
My question is, what do I change on the server (domain controller) or
within Active Directory to increase the over-riding server-determined
default size limit of 1000? I tried the MS KB article (Controlling the
Active Directory Search Buffer Size
http://support.microsoft.com/?kbid=243281) Directory UI registry change to
noavail. We have alredy increased the NTDSUTIL''s LDAP Policies to:
Policy Current(New)
MaxPoolThreads 8
MaxDatagramRecv 1024
MaxReceiveBuffer 10485760
InitRecvTimeout 120
MaxConnections 5000
MaxConnIdleTime 900
MaxActiveQueries 40
MaxPageSize 200000
MaxQueryDuration 120
MaxTempTableSize 10000
MaxResultSetSize 262144
MaxNotificationPerConn 5
--
Terry E Dow解决方案Hi,
You don''t say what you are trying to do, or in what language, but in
VBScript you can use ADO and Range Limits to retrieve more than 1000 entries
in a multi-valued attribute, like the "member" attribute of a group object.
I have a sample VBScript program to enumerate group membership that uses
this technique linked on this page:
http://www.rlmueller.net/DocumentLargeGroup.htm
The technique is also described in Microsoft''s "Windows 2000 Scripting
Guide", but the example is incomplete as it raises errors if there are fewer
than 1000 members left to retrieve.
As far as I know, there are not settings on the server to overcome this
limitation. I hope this helps.
--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
"Terry E Dow" <Te******@verizon.neXt> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...Howdy,
I am having trouble with the objectCategory=group member.Count attribute. I get one of three counts, a number between 1-999, no member (does not
contain member property), or 0. Using LDIFDE as a comparison I get the same results. No members means just that, an empty group. Zero means that the
DirectorySearcher.SizeLimit has been exceeded.
http://msdn.microsoft.com/library/en...LimitTopic.asp states:
...
Property Value
The maximum number of objects the server returns in a search. The default of zero means to use the server-determined default size limit of 1000 entries. Remarks
The server stops searching after the size limit is reached and returns the
results accumulated up to that point.
Note If you set SizeLimit to a value that is larger than the
server-determined default of 1000 entries, the server-determined default is used.
...
My question is, what do I change on the server (domain controller) or
within Active Directory to increase the over-riding server-determined
default size limit of 1000? I tried the MS KB article (Controlling the
Active Directory Search Buffer Size
http://support.microsoft.com/?kbid=243281) Directory UI registry change to
noavail. We have alredy increased the NTDSUTIL''s LDAP Policies to:
Policy Current(New)
MaxPoolThreads 8
MaxDatagramRecv 1024
MaxReceiveBuffer 10485760
InitRecvTimeout 120
MaxConnections 5000
MaxConnIdleTime 900
MaxActiveQueries 40
MaxPageSize 200000
MaxQueryDuration 120
MaxTempTableSize 10000
MaxResultSetSize 262144
MaxNotificationPerConn 5
--
Terry E Dow
This is my generalized VB.NET range retrieval function. It returns the
attribute values in an ArrayList. You could easily modify it to use a
different container:
Protected Shared Function GetAllAttributeValues(ByVal entry As
DirectoryEntry, ByVal attributeName As String) As ArrayList
Dim propValues As PropertyValueCollection
Dim propValue As Object
Dim attributeValues As PropertyValueCollection
Dim values As ArrayList
Dim currentRange As String
Dim startCount As Integer
Dim endCount As Integer
Dim iteration As Integer
Dim increment As Integer = 1000
Dim expectedErrorCode As Integer = -2147016672
''This optimization reads the attributey directly if it
''contains less than 1000 values and returns an arraylist based
''on that. If we have 1000 values, we assume that there are
likely more than
''1000 values and we resort to the slower attribute ranging
method
''done below
entry.RefreshCache(New String() {attributeName})
attributeValues = entry.Properties(attributeName)
If attributeValues.Count < 1000 Then
Dim memberValue As Object
values = New ArrayList(attributeValues.Count)
For Each memberValue In attributeValues
values.Add(memberValue)
Next
values.TrimToSize()
Return values
End If
''here we go into ranging mode
values = New ArrayList(1000)
Do
startCount = iteration * increment
endCount = (iteration + 1) * increment - 1
''This is the attribute ranging method for retrieving the
contents of large attributes
currentRange = String.Format("{0};Range={1}-{2}",
attributeName, startCount, endCount)
''this will throw when the lower bound on the range is too
high
Try
entry.RefreshCache(New String() {currentRange})
Catch e As COMException ''I might check for the expected
hresult, but I don''t know if I need to
Exit Do
End Try
''Get the values for for the current range of attributes
propValues = entry.Properties(attributeName)
For Each propValue In propValues
values.Add(propValue)
Next
iteration += 1
values.Capacity += increment
Loop
values.TrimToSize()
Return values
End Function
This should allow you to get full group membership in .NET (unless we are
talking about primary group membership which is done a different way).
Joe K.
"Richard Mueller [MVP]" <rl**************@ameritech.NOSPAM.net> wrote in
message news:ew*************@tk2msftngp13.phx.gbl...Hi,
You don''t say what you are trying to do, or in what language, but in
VBScript you can use ADO and Range Limits to retrieve more than 1000 entries in a multi-valued attribute, like the "member" attribute of a group object. I have a sample VBScript program to enumerate group membership that uses
this technique linked on this page:
http://www.rlmueller.net/DocumentLargeGroup.htm
The technique is also described in Microsoft''s "Windows 2000 Scripting
Guide", but the example is incomplete as it raises errors if there are fewer than 1000 members left to retrieve.
As far as I know, there are not settings on the server to overcome this
limitation. I hope this helps.
--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
"Terry E Dow" <Te******@verizon.neXt> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...Howdy,
I am having trouble with the objectCategory=group member.Count attribute.I get one of three counts, a number between 1-999, no member (does not
contain member property), or 0. Using LDIFDE as a comparison I get the
sameresults. No members means just that, an empty group. Zero means that the DirectorySearcher.SizeLimit has been exceeded.
http://msdn.microsoft.com/library/en...LimitTopic.aspstates:
...
Property Value
The maximum number of objects the server returns in a search. The default ofzero means to use the server-determined default size limit of 1000
entries.Remarks
The server stops searching after the size limit is reached and returns
the results accumulated up to that point.
Note If you set SizeLimit to a value that is larger than the
server-determined default of 1000 entries, the server-determined default
isused.
...
My question is, what do I change on the server (domain controller) or
within Active Directory to increase the over-riding server-determined
default size limit of 1000? I tried the MS KB article (Controlling the
Active Directory Search Buffer Size
http://support.microsoft.com/?kbid=243281) Directory UI registry change to noavail. We have alredy increased the NTDSUTIL''s LDAP Policies to:
Policy Current(New)
MaxPoolThreads 8
MaxDatagramRecv 1024
MaxReceiveBuffer 10485760
InitRecvTimeout 120
MaxConnections 5000
MaxConnIdleTime 900
MaxActiveQueries 40
MaxPageSize 200000
MaxQueryDuration 120
MaxTempTableSize 10000
MaxResultSetSize 262144
MaxNotificationPerConn 5
--
Terry E Dow
Richard,
Thanks for your quick response.
The purpose of this Active Directory administration tool was to build a
list of security/distribution groups within a domain, and return metrics
like the membership count. The administrators can use this report to clean
up their domain.
Thank you very much for your example code EnumGroup2.vbs. I can see that
you are using the RANGE flags in your LDAP query, and grabbing a 1000 at a
time. Unfortunately, unless you know otherwise, Visual Studio .Net 2003
System.DirectoryServices namespace does not natively support that particular
option. I''m writing this in C#, and everything was going so well, until I
ran into this limit. Odd that LDIFDE has the same limitation, and the
developers did not use your solution to get around it.
Perhaps I can mix your LDAP query syntax with C# via another provider than
ADSI or System.DirectoryServices.
--
Terry E Dow
"Richard Mueller [MVP]" <rl**************@ameritech.NOSPAM.net> wrote in
message news:ew*************@tk2msftngp13.phx.gbl...Hi,
You don''t say what you are trying to do, or in what language, but in
VBScript you can use ADO and Range Limits to retrieve more than 1000 entries in a multi-valued attribute, like the "member" attribute of a group object. I have a sample VBScript program to enumerate group membership that uses
this technique linked on this page:
http://www.rlmueller.net/DocumentLargeGroup.htm
The technique is also described in Microsoft''s "Windows 2000 Scripting
Guide", but the example is incomplete as it raises errors if there are fewer than 1000 members left to retrieve.
As far as I know, there are not settings on the server to overcome this
limitation. I hope this helps.
--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
"Terry E Dow" <Te******@verizon.neXt> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...Howdy,
I am having trouble with the objectCategory=group member.Count attribute.I get one of three counts, a number between 1-999, no member (does not
contain member property), or 0. Using LDIFDE as a comparison I get the
sameresults. No members means just that, an empty group. Zero means that the DirectorySearcher.SizeLimit has been exceeded.
http://msdn.microsoft.com/library/en...LimitTopic.aspstates:
...
Property Value
The maximum number of objects the server returns in a search. The default ofzero means to use the server-determined default size limit of 1000
entries.Remarks
The server stops searching after the size limit is reached and returns
the results accumulated up to that point.
Note If you set SizeLimit to a value that is larger than the
server-determined default of 1000 entries, the server-determined default
isused.
...
My question is, what do I change on the server (domain controller) or
within Active Directory to increase the over-riding server-determined
default size limit of 1000? I tried the MS KB article (Controlling the
Active Directory Search Buffer Size
http://support.microsoft.com/?kbid=243281) Directory UI registry change to noavail. We have alredy increased the NTDSUTIL''s LDAP Policies to:
Policy Current(New)
MaxPoolThreads 8
MaxDatagramRecv 1024
MaxReceiveBuffer 10485760
InitRecvTimeout 120
MaxConnections 5000
MaxConnIdleTime 900
MaxActiveQueries 40
MaxPageSize 200000
MaxQueryDuration 120
MaxTempTableSize 10000
MaxResultSetSize 262144
MaxNotificationPerConn 5
--
Terry E Dow
这篇关于安全/分发组成员.Count限制为1000的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
