This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 68%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERU%3C/text%3E%3C/svg%3E)
When we try to fetch all the Users or Computers objects present in AD using the below code which binds with AD using ADsOpenObject(), it returns excessive number of objects which are not really part of the AD.
For e.g. We have around 8000 Users and 9000 Computers in AD. But when we try to fetch them, the total object count finally will be 25000 Users and 67000 Computers.
We tried to verify the returned objects, but they are not like randomly generated objects, have some meaningful names and properties. But unfortunately they are not part of our directory.
Please find the server details below that I have attached for reference.
------------------------------------------------------------
Domain Functional Level --> Windows Server 2012 R2
Forest Functional Level --> Windows Server 2012 R2
Number of DCs --> 3
-----------------------------------------------------------
Kindly help us finding out what we're doing wrong here.
void GetMembers(wchar_t* szFilter, IDirectorySearch* pDirSearch, LPWSTR* attributes, DWORD attributeCount, bool allMembers)
{
HRESULT hr;
USES_CONVERSION;
ADS_SEARCH_HANDLE hSearch = NULL;
ADS_SEARCH_COLUMN col;
ADS_SEARCHPREF_INFO SearchPref[2];
SearchPref[0].dwSearchPref = ADS_SEARCHPREF_SEARCH_SCOPE;
SearchPref[0].vValue.dwType = ADSTYPE_INTEGER;
SearchPref[0].vValue.Integer = ADS_SCOPE_SUBTREE;
SearchPref[1].dwSearchPref = ADS_SEARCHPREF_PAGESIZE;
SearchPref[1].vValue.dwType = ADSTYPE_INTEGER;
SearchPref[1].vValue.Integer = 1000;
pDirSearch->SetSearchPreference(SearchPref, 2);
hr = pDirSearch->ExecuteSearch(szFilter, attributes, attributeCount, &hSearch);
int ObjectCount = 0;
LPWSTR pszColumn = NULL;
PSID pObjectSID = NULL;
LPWSTR szSID = NULL;
printf("\n\n---------------------------Fetching Object Started--------------------------------\n");
while ((hr = pDirSearch->GetNextRow(hSearch)) != S_ADS_NOMORE_ROWS) {
ObjectCount++;
std::cout << "\n" << ObjectCount << "\n";
int index = 0;
int co = 0;
while (pDirSearch->GetNextColumnName(hSearch, &pszColumn) != S_ADS_NOMORE_COLUMNS)
{
hr = pDirSearch->GetColumn(hSearch, attributes[index], &col);
if (SUCCEEDED(hr)) {
if ((_wcsicmp(col.pszAttrName, L"distinguishedName") == 0)) {
wprintf(L"%-20s %-20s\n", attributes[index], col.pADsValues->CaseIgnoreString);
}
}
else {
printf("Error null value in %ws\n", attributes[index]);
}
index++;
}
}
if (hr != 0x00005012) {
printf("herror in GetMembers of get next row %0x", hr);
}
printf("\n\nTotal ObjectCount : % d\t\n", ObjectCount); // Here we're getting the count as 25000 for users and 67000 for computers objects
printf("\n\n---------------------------Fetching Object completed--------------------------------\n\n\n");
if (hSearch)pDirSearch->CloseSearchHandle(hSearch);
pDirSearch->Release();
CoUninitialize();
}
void GetObjects()
{
LPWSTR pwd = (LPWSTR)L"password";
LPWSTR dcname = (LPWSTR)L"password";
LPWSTR distinguishedName = (LPWSTR)L"DC=domain,DC=com";
LPWSTR username = (LPWSTR)L"username";
LPOLESTR rootStr = new OLECHAR[wcslen(L"LDAP://") + wcslen(dcname) + wcslen(L"/") + wcslen((LPWSTR)distinguishedName) + 1];
wcscpy(rootStr, L"LDAP://");
wcscat(rootStr, dcname);
wcscat(rootStr, L"/");
wcscat(rootStr, (LPWSTR)distinguishedName);
printf("\n\nLDAP DC path = %ws\n\n", rootStr);
HRESULT hr;
USES_CONVERSION;
DWORD attributeCount = 1;
LPWSTR attributes[] = {(LPWSTR)L"distinguishedName"};
IDirectorySearch* pDirSearch = NULL;
LPWSTR szFilter = new WCHAR[MAX_PATH];
wcscpy(szFilter, L"(&(objectCategory=person)(objectClass=user)(!(sAMAccountType=805306370)))");
CoInitialize(NULL);
hr = ADsOpenObject(rootStr,
username,
pwd,
ADS_SECURE_AUTHENTICATION, IID_IDirectorySearch, (void**)&pDirSearch);
if (SUCCEEDED(hr)) {
GetMembers(szFilter, pDirSearch, attributes, attributeCount, false);
}
else {
if (hr == 0x8007200a) {
printf("\nNo View Permission");
}
else {
printf("\n\nAuthentication failure");
}
printf("\n\nObject Bind Failed, error code : %x", hr);
}
}
Could you please tell us how you determined how many users and computers are actually in AD? Whether to use filters when looking up objects using Active Directory?
I suggest you could refer to the Doc: Searching with the IDirectorySearch Interface
Hi JeanineZhang,
I have used the following Get Commands in the PowerShell to get the objects count.
All the above three commands produces the count which is exactly same as the number of user/computer objects present in AD at that time. But when we use LDAP query using the above mentioned code, it gives us the wrong count. Also when we used the same LDAP query to get the users or computers in ADUC window, it gives us the correct count. The problem that we're facing is occurs only while using the C++ code to get the users/computers form AD.
Hi,
You can use this function count the number of objects in the domain, it will also display how many of the user objects are active, which might be what is shewing you numbers.
https://nettools.net/object-counts/
Gary.
Hi GaryReynolds,
We have tried to count the objects present in AD using various methods including the method you have shared. All of them are showing the same count. The problem we're facing is that we're getting the excess number object count with huge difference compared to the count in AD that we have checked using native methods and apps as you mentioned.
And the main problem here is that not only the count is huge, we're also able to get the objects properties for all those excess objects which are not part of our AD. So we really don't know what we're doing wring to get the users/computers using the code that we have added in the question. Even the same code is now working fine and getting correct number of users and computers in one of our AD server which is also having the same server configurations as mentioned in the question. So I hope we're having no issues in the code because it is working on other servers, but only for that particular AD server it is not working and giving random objects for us.
A couple of questions:
is your forest a single or multiple domains?
Is the other DC, that works, is it in the same domain or a different domain?
if they are in the same domain, what is the difference between them?
For one of the objects that doesn't exist in the AD, is the DN of the object correctly formed and part of the same domain? is it possible that it's a non-existent object have been deleted?
If you try to retrieve a non-existent object based on the DN using LDP does it return the object? If so, does it work on the DC that does return the correct number of objects?
You could try to dump the AD database to see if the objects are listed in the dump - details here: https://nettools.net/howto-dump-the-active-directory-database/
With NetTools you can use the Site Browser option to confirm the Query Policies for the two DC and confirm they are the same.
Gary.
Gary.
Just a quick follow up, I've compiled your code sample and ran it against a couple of different domains, and in all cases it returned the correct number of objects, so your code is good.
Gary.
Hi Gary,
Thank you so much for confirming that our code is running without any issues. So can we assume that there is some issues on the DC server. If so, is there any steps to fix that? Because we need to make this work on that server itself. It would be great if we have any solution or steps for that.
Thanks in advance.
If you can answer the questions above it will help with the next steps.
Just checking if there is any update or progress on providing the answers to the additional questions above?
Gary.
Hello Gary,
Sorry for the late response,
Here are the answers for your question.
For question 4 and 5, I will check the details and share with you.
I have to say I haven't seen this problem before, so personally I would do loads of testing to try and understand what is going on and why, below are some of the steps that I would try to identify the cause of the issue.
I would dump the database and do a compare to see if the object exist in both databases
Check the health of the DC with DCdiag /v /c
Check the health of the replication repadmin /showrepl and repadmin /replsummary
Check for Lingering Objects - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/information-lingering-objects
Check the integrity of the AD database - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/complete-semantic-database-analysis-ad-db
I would use the Object Replication option of the NetTools to check if the objects exist on both DCs
Ultimately the fix might be to dcpromo the affected DC out of the domain and add it back in again.
Gary.
Just checking if there is any update or progress on this one?
Did you manage to fix the issue?