python active directory module pyad max returned group members

Question

How can I return all group members if it is over 1500, I'm using below code Using execute_query member attribute in the group is empty

import pyad.adquery
q = pyad.adquery.ADQuery()
q.execute_query(
attributes = ["CN", "sAMAccountName", "sAMAccountType", "name", "title", "distinguishedName", "mail", "managedBy", "member", "memberOf"][::-1],
where_clause = "{0} = '{1}'".format(query_attribute,query_value),
base_dn = "DC=domain,DC=company,DC=net",
)  --> Using execute_query member attribute is empty

result = list(q.get_results())[0]['member'] --> result is None

using pyad.from_cn only first 1500 users returned

f = pyad.pyad.from_cn('Group Name')
f.get_attribute('member') or f.get_members()  --> both return only 1500 Users

Answer 1

This limit doesn't come from pyad, but AD itself. Active Directory will only give you 1500 rows from a multi-value attribute. To get the rest, you have to specifically ask for more.

I haven't tried this in Python, but to ask for the next 1500, you should be able to do something like this:

f.get_attribute('member;range=1500-*')

Try that and see if it works.

Looking at the Pyad source code, that might not actually work (because of the hasattr check, which might not remove the "range" part when checking if the attribute is valid). There is also an issue logged for this, which hasn't been replied to. And since the project is no longer maintained, it's unlikely to get fixed unless you fork it and fix it yourself (it should be as easy as removing that hasattr check).

But if that does happen to work, you will have to put that into a loop and keep going until you get an error, which means there are no more results. I have an example in C# here. You can translate the logic in the loop to Python.