[python-win32] active_directory.py: enumerating membership of groups with more than 1500 members.

Mike Diehn mike.diehn at ansys.com
Thu Mar 11 15:51:39 CET 2010 

Thanks, Tim.

I've just subscribed to the python-win32 mailing list and I'll copy this
post to it.

So, my task, in this instance is to retrieve the membership list of a 1650
member AD security group.  That means the group has a 1650 item multi-value
attribute.  It's refusing to send more than 1500, of course. Since this
isn't about objects, page_size and size_limit don't *appear* to help.
 Instead, last night I was working on a technique called "range retrieval."
 Do you suppose I'm missing something?

Range retrieval is documented here:

  http://msdn.microsoft.com/en-us/library/aa367017(VS.85).aspx

and the example that finally helped me get it working is here:

  http://msdn.microsoft.com/en-us/library/aa705933(VS.85).aspx

This is what made it click:

    commandPrefix = "<LDAP://" & strGroupDN & ">;(objectClass=*);member;range="
    commandSuffix = ";base"

I needed to specify the full ADSPath to the group - the groupDN essentially.
 Until I did that, the query would blow up anytime I put in the bit about
"...;member;range=1500-*;..."

I'll be hacking around on this all morning.

Best,
Mike

On Thu, Mar 11, 2010 at 4:47 AM, Tim Golden <mail at timgolden.me.uk> wrote:

> On 10/03/2010 23:29, Mike Diehn wrote:
>
>> Hi again, Tim.
>>
>> I swear I've searched and read and studied trying to solve this.  I hope
>> you
>> won't mind one more question.  Feel free to send me to a more appropriate
>> source, like a mailing list or forum, if you like.
>>
>
> Glad you solved it anyway. FWIW it's always worth posting to the
> python-win32 mailing list where there are many more and better
> informed people than me. I'm usually watching it anyway, so it's
> better than mailing me direct  :)
>
>
>
>> I have a group in our active directory with 1652 members.  I can't get
>> python to show me more than the first 1500.  I understand the 1500 limit -
>> that's the MaxValueLimit imposed by AD 2003.
>>
>> How in the world do I get around it using your active_directory.py
>> modules?
>>
>
> I guess you've found that you need to fiddle around with the
> page_size and/or size_limit flags to the query.
>
> TJG
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email______________________________________________________________________
>



-- 
Mike Diehn
Senior Systems Administrator
ANSYS, Inc - Lebanon, NH Office
mike.diehn at ansys.com, (603) 727-5492
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-win32/attachments/20100311/6e413887/attachment.html>

More information about the python-win32 mailing list