Re: Can we limit the total number of search results returned?

From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 04/19/04 

Date: Mon, 19 Apr 2004 09:24:47 -0700

The previous replies do apply, but you have to realize if you want to
protect your data, then the proper way of doing this is securing it
appropriately.

Page size affects only a single page size. If the client does a paged search
(and any self-respecting client does), then they can pull all of your data
page-by-page. We do not have the policy to limit the total number of entries
returned by a paged search. Even if we did, they would be able to pull
everything by running multiple searches like (username=a*), (username=b*),
etc. 

-- 
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Eric Chamberlain" <eric.chamberlain@newsgroups.nospam> wrote in message
news:#l49UkWJEHA.2736@TK2MSFTNGP12.phx.gbl...
> We have 40,000 users and don't want them to be able  to pull all the
e-mail
> addresses from AD.  In iPlanet, we can limit the search results to 100
> records.  Is there an equivalent setting we can configure on the domain
> controllers, without impacting normal functions?
>
> Users may be connecting via LDAP and paging.  I see we can limit page
> results returned, but we want to limit the entire search results.
>
> Currently we can track abuses by logging expensive queries and long
running
> queries, but we would rather be proactive than reactive.
>
>