Listing Active Directory group membership when groups have > 1500 members

Jan 12, 2012 at 1:47 PM
Edited Jan 28, 2012 at 5:38 AM

I'm still running through my series of tests.  I've just been looking into groups.  When I have up to (and including) 1500 members, I can retrieve the list okay.  When there are more than 1500 members, I get an empty collection.  I've seen this problem before, with System.DirectoryServices: I had to use something called Range Retrieval to sort it out.

UPDATE

Sorry the original version of this post was so short: I ran out of time.  This is still using source code 10830 - I've seen your update but I wanted to finish my first set of tests on the same version, then move to the latest, and re-run them.

This is my GroupObject class:

using System;
using System.Collections.ObjectModel;
using System.ComponentModel.DataAnnotations;
using LinqToLdap.Mapping;

namespace LinqToLdap_Updates.Entities
{
    public class GroupObject : DirectoryObjectBase
    {
        [Key]
        public Guid objectGuid { get; set; }
        public String commonName { get; set; }
        public String distinguishedName { get; set; }

        public String sAMAccountName { get; set; }

        private string _description;
        public String description
        {
            get { return this._description; }
            set
            {
                if (value != this._description)
                {
                    this._description = value;
                    AttributeChanged<GroupObject, String>(a => a.description);
                }
            }
        }

        private Collection<string> _member;
        public Collection<String> member
        {
            get { return this._member; }
            set
            {
                if (value != this._member)
                {
                    this._member = value;
                    AttributeChanged<GroupObject, Collection<String>>(a => a.member);
                }
            }
        }

        public void SetMemberChanged()
        {
            AttributeChanged<GroupObject, Collection<String>>(a => a.member);
        }

        [Editable(false)]
        public DateTime whenCreated { get; set; }
        [Editable(false)]
        public DateTime whenChanged { get; set; }
    }
}

and this is my GroupObjectMap class:

 

using System;
using System.Linq;
using LinqToLdap.Mapping;
using LinqToLdap_Updates.Entities;

namespace LinqToLdap_Updates.ClassMaps
{
    public class GroupObjectMap : ClassMap<GroupObject>
    {
        public GroupObjectMap()
        {
            NamingContext("DC=big,DC=wooden,DC=badger");
            ObjectClass("group");
            ObjectCategory("group");

            DistinguishedName(x => x.distinguishedName);
            Map(x => x.commonName).Named("cn").StoreGenerated();

            Map(x => x.description);
            Map(x => x.objectGuid).StoreGenerated();
            Map(x => x.member);
            Map(x => x.sAMAccountName);
            Map(x => x.whenChanged).StoreGenerated();
            Map(x => x.whenCreated).StoreGenerated();
        }
    }
}

 

I retrieve a test group like this:

 

var group = context.Query<GroupObject>()
    .Where(u => u.sAMAccountName == groupName)
    .FirstOrDefault();

and this is how I display a group I've retrieved :

 

 

    if (group.member != null)
    {
        Console.WriteLine("group.member count: {0}", group.member.Count());

        if (displayMembers)
        {
            Console.WriteLine("member:");
            foreach (var member in group.member)
            {
                Console.WriteLine("  {0}", member);
            }
        }
    }

 

I created 1600 users, numbered consecutively.  I added the first member, and displayed it, showing count = 1 and listing the one member.  I added 1499 more and displayed it, showing count=1500 and listing them.  Then I added one more member and got count=0 and no members listed.

I've done a bit of mooching around and found this.  I wondered if it (range retrieval) was just AD and I found this in several places.  I'm not sure how this stuff works but it looks like it might have expired, so I might be limited to AD DS and AD LDS.

****** EDIT ******

madhatter22 has created an issue for this.