[python-win32] active_directory.py: enumerating membership of groups with more than 1500 members.

Mike Diehn mike.diehn at ansys.com
Thu Mar 11 16:44:37 CET 2010 

As you probably just read, Microsoft say that if I query for the "member"
attribute in the case of a group with a large membership, say 9000, the
domain controller (DC) will send me back two attributes: an empty "member"
attribute and a 1500 item attribute named "member;range=0-1499".
 Apparently, that's how we're to know we need to use the range retrieval
technique.  Next query would be for member;range=1500-* and they send back
that one empty but with a new one named member;range=1500-2999.  Indicating
need for yet another round.

Well, I did this in a python interactive session:

>>> import active_directory as ad
>>> gau = ad.find_group('google apps users')
>>> len(gau.member)
1500
>>> for p in gau.properties:
...    print p

The resulting list of property names contained "member", but  nothing like
"member;range=0-1499."  And "member" has 1500 items.

I did it in perl (needing *many* more lines :-) ) using the Net::LDAP
modules and got back an empty "member" attribute and a 1500 value
member;range=0-1499" attribute.  So I expect AD is sending what MS says it
is.

Do you suppose something in pywin32 is munging the attributes names?

Thanks,
Mike


On Thu, Mar 11, 2010 at 9:59 AM, Tim Golden <mail at timgolden.me.uk> wrote:

> On 11/03/2010 14:51, Mike Diehn wrote:
>
>> Thanks, Tim.
>>
>> I've just subscribed to the python-win32 mailing list and I'll copy this
>> post to it.
>>
>> So, my task, in this instance is to retrieve the membership list of a 1650
>> member AD security group.  That means the group has a 1650 item
>> multi-value
>> attribute.  It's refusing to send more than 1500, of course. Since this
>> isn't about objects, page_size and size_limit don't *appear* to help.
>>  Instead, last night I was working on a technique called "range
>> retrieval."
>>
>
> Ah, sorry. I didn't read closely enough. Range retrieval is a pain because
> you *have* to be retrieving at least as many items as you're requesting,
> so you can't just say "give me 1-20,000", knowing that it'll work every
> time.
>
> I've been struggling to find a clean way to include this in my slightly
> improved AD interface, but haven't found one yet :(. I must confess I
> didn't realise it would actually cap the retrieval if you didn't include
> a range. I don't think any of our groups have as many as 1500 members.
>
> Didn't know about that -* trick on the last loop, either. You live and
> learn.
>
> TJG
> _______________________________________________
> python-win32 mailing list
> python-win32 at python.org
> http://mail.python.org/mailman/listinfo/python-win32
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email______________________________________________________________________
>



-- 
Mike Diehn
Senior Systems Administrator
ANSYS, Inc - Lebanon, NH Office
mike.diehn at ansys.com, (603) 727-5492
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-win32/attachments/20100311/14900d80/attachment-0001.html>

More information about the python-win32 mailing list