Re: Can we limit the total number of search results returned?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Eric Chamberlain (eric.chamberlain_at_newsgroups.nospam)
Date: 04/21/04

• Next message: Eric Fleischman [MSFT]: "Re: SCP error and ADAM"
• Previous message: Matt Hickman: "Re: XP slowness logging into an AD domain"
• In reply to: Dmitri Gavrilov [MSFT]: "Re: Can we limit the total number of search results returned?"
• Messages sorted by: [ date ] [ thread ]

---

Date: Tue, 20 Apr 2004 19:44:18 -0700

Thank you for confirming our research.

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:O0YwWriJEHA.3436@tk2msftngp13.phx.gbl...
> The previous replies do apply, but you have to realize if you want to
> protect your data, then the proper way of doing this is securing it
> appropriately.
>
> Page size affects only a single page size. If the client does a paged
search
> (and any self-respecting client does), then they can pull all of your data
> page-by-page. We do not have the policy to limit the total number of
entries
> returned by a paged search. Even if we did, they would be able to pull
> everything by running multiple searches like (username=a*), (username=b*),
> etc.
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Eric Chamberlain" <eric.chamberlain@newsgroups.nospam> wrote in message
> news:#l49UkWJEHA.2736@TK2MSFTNGP12.phx.gbl...
> > We have 40,000 users and don't want them to be able to pull all the
> e-mail
> > addresses from AD. In iPlanet, we can limit the search results to 100
> > records. Is there an equivalent setting we can configure on the domain
> > controllers, without impacting normal functions?
> >
> > Users may be connecting via LDAP and paging. I see we can limit page
> > results returned, but we want to limit the entire search results.
> >
> > Currently we can track abuses by logging expensive queries and long
> running
> > queries, but we would rather be proactive than reactive.
> >
> >
>
>

---

• Next message: Eric Fleischman [MSFT]: "Re: SCP error and ADAM"
• Previous message: Matt Hickman: "Re: XP slowness logging into an AD domain"
• In reply to: Dmitri Gavrilov [MSFT]: "Re: Can we limit the total number of search results returned?"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Can we limit the total number of search results returned? ... If the client does a paged search ... they would be able to pull ... everything by running multiple searches like,, ... > Currently we can track abuses by logging expensive queries and long ... (microsoft.public.windows.server.active_directory) Can we limit the total number of search results returned? ... We have 40,000 users and don't want them to be able to pull all the e-mail ... In iPlanet, we can limit the search results to 100 ... Currently we can track abuses by logging expensive queries and long running ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2004-04