[python-win32] active_directory.py: enumerating membership of groups with more than 1500 members.
mike.diehn at ansys.com
Thu Mar 11 16:44:37 CET 2010
As you probably just read, Microsoft say that if I query for the "member"
attribute in the case of a group with a large membership, say 9000, the
domain controller (DC) will send me back two attributes: an empty "member"
attribute and a 1500 item attribute named "member;range=0-1499".
Apparently, that's how we're to know we need to use the range retrieval
technique. Next query would be for member;range=1500-* and they send back
that one empty but with a new one named member;range=1500-2999. Indicating
need for yet another round.
Well, I did this in a python interactive session:
>>> import active_directory as ad
>>> gau = ad.find_group('google apps users')
>>> for p in gau.properties:
... print p
The resulting list of property names contained "member", but nothing like
"member;range=0-1499." And "member" has 1500 items.
I did it in perl (needing *many* more lines :-) ) using the Net::LDAP
modules and got back an empty "member" attribute and a 1500 value
member;range=0-1499" attribute. So I expect AD is sending what MS says it
Do you suppose something in pywin32 is munging the attributes names?
On Thu, Mar 11, 2010 at 9:59 AM, Tim Golden <mail at timgolden.me.uk> wrote:
> On 11/03/2010 14:51, Mike Diehn wrote:
>> Thanks, Tim.
>> I've just subscribed to the python-win32 mailing list and I'll copy this
>> post to it.
>> So, my task, in this instance is to retrieve the membership list of a 1650
>> member AD security group. That means the group has a 1650 item
>> attribute. It's refusing to send more than 1500, of course. Since this
>> isn't about objects, page_size and size_limit don't *appear* to help.
>> Instead, last night I was working on a technique called "range
> Ah, sorry. I didn't read closely enough. Range retrieval is a pain because
> you *have* to be retrieving at least as many items as you're requesting,
> so you can't just say "give me 1-20,000", knowing that it'll work every
> I've been struggling to find a clean way to include this in my slightly
> improved AD interface, but haven't found one yet :(. I must confess I
> didn't realise it would actually cap the retrieval if you didn't include
> a range. I don't think any of our groups have as many as 1500 members.
> Didn't know about that -* trick on the last loop, either. You live and
> python-win32 mailing list
> python-win32 at python.org
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email______________________________________________________________________
Senior Systems Administrator
ANSYS, Inc - Lebanon, NH Office
mike.diehn at ansys.com, (603) 727-5492
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the python-win32