CAUSE
The
System.DirectoryServices namespace contains a flaw that can cause truncation of group membership in circumstances where new members are added to a group that already contains more than 1000 members.
Specifically, the problem occurs when you use the
DirectoryEntry::Properties.Add method. By default, the Lightweight Directory Access Protocol (LDAP) server responds to a request to return data for multi-valued attributes by returning only the first 1000 values (or the first 1500 values for Windows Server 2003). To obtain the whole list of values, an application must use a concept that is known as
ranging. The
System.DirectoryServices.DirectoryEntry object does not do this for you when retrieving multi-values attributes. Because of this behavior, you never receive more than 1000 members for a group when you access the
DirectoryEntry::Properties["member"] attribute of a group.
When you add values to a multi-valued attribute by using the
DirectoryEntry::Properties["attribute"].Add method, you are essentially adding a new value to the existing values that are cached internally in a property cache. Another later call to
DirectoryEntry::CommitChanges causes the server to overwrite the whole multi-valued attribute with the values that are in the cache. Because the
System.DirectoryServices namespace retrieved only 1000 of the values, any server-side values that were not returned are consequently removed from the multi-valued attribute during the overwrite. With regard to the
"member" attribute of a group, this behavior causes all group members that are above that 1000-value threshold to be removed from the group membership.
The following sample code demonstrates the cause of this problem.
DirectoryEntry oGrp = new DirectoryEntry("LDAP://CN=Big Group,CN=Users,DC=Fabrikam,DC=com");
oGrp.Properties["member"].Add("LDAP://CN=John Doe,CN=Users,DC=Fabrikam,DC=com");
oGrp.CommitChanges();
There is also a side-effect that is related to this flaw. When the group membership is truncated, one event is written to the Security event log about users who were removed. If you have large groups and do frequent updates by using the code that is mentioned earlier, your Security event log can fill up very quickly. Microsoft recommends that you use the following workaround to avoid this problem.
RESOLUTION
The Microsoft .NET Framework 1.0
Service pack information
To resolve this problem, obtain the latest service pack for the .NET Framework 1.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
318836 How to obtain the latest .NET Framework 1.0 service pack
Hotfix information
For more information about a hotfix for this problem, click the following article number to view the article in the Microsoft Knowledge Base:
839425
FIX: The group membership list becomes truncated when you add group memberships by using the .NET Framework System.DirectoryServices namespace
The .NET Framework 1.1
For more information about a hotfix for this problem, click the following article number to view the article in the Microsoft Knowledge Base:
839424
FIX: The group membership list becomes truncated when you add group memberships by using the .NET Framework System.DirectoryServices namespace
WORKAROUND
To work around this problem, invoke the
IADsGroup::Add method on the underlying Active Directory Service Interface (ADSI) that is associated with the
DirectoryEntry object. The following sample code demonstrates adding a user to a specific group.
DirectoryEntry oGrp = new DirectoryEntry("LDAP://CN=Big Group,CN=Users,DC=Fabrikam,DC=com");
oGrp.Invoke("Add", new Object[] { "LDAP://CN=John Doe,CN=Users,DC=Fabrikam,DC=com" });