Searches or alerts against group membership may not return all the expected results (4297368)

Searches that use group membership as one of the filters may not return all of the expected objects or changes. Similarly, alerts may not run as expected due to the search not returning everything.

Viewing the Coordinator log you can see entries similar to the following when groups that more than 1500 members is expanded:

"Expanding group <CanonicalNameOfGroup> with 1500. members"

This shows that the the LDAP query to return the group membership is resulting in the DC responding with only 1500 objects, regardless if there are more than 1500 members.

Searches that target group membership requires the Coordinator to expand those groups to enumerate all of the group members. There are default LDAP Policies that limit the number of objects returned from an LDAP query to 1000 or 1500, depending on the Domain and Forest Functional levels of your Active Directory. The 2 main policies that affect this behavior are MaxPageResults (default is 1000 in the latest AD versions) and MaxValRange (default is 1500 in the latest AD versions). 

This limit applies the max amount of objects that are returned from a query, and if the number of total objects exceeds the limit, the query needs to request additional pages.CA is not requesting additional pages correctly when it performs group expansion and is only able to get 1000-1500 objects from its group expansion query.

WORKAROUND:

Modify the LDAP Policies for AD that are limiting the number of objects returned :

NOTE:

• Before making this change it is highly recommended to review and test these changes to try and ensure there is not a negative impact on your environment if you modify the LDAP policies.
• LDAP Policies are global settings and apply to all AD and LDAP queries.
• Because this is an Active Directory change, Quest Support cannot provide support for problems or questions that arise from this change. These steps are provided as informational, If you have questions or issues in regards to this change, please consult with Microsoft.
• Quest does not provide support for problems that arise from improper modification.

To modify the MaxValRange LDAP Policy:

1.  Login to a DC as a Domain Admin
2.  Open an elevated command prompt
3.  Type ntdsutil and hit enter
4.  Type ldap policies and hit enter
5.  Type connections and hit enter
6.  Type connect to server <NameOfDC> and hit enter
7.  Type q and hit enter
8.  Type show values and hit enter. This will display a list of the current values
9.  Type set maxvalrange to 5000 (or the number you determine to be best for your environment) and hit enter
10. Type show values and hit enter. Note: Confirm the new value is shown in brackets next to the old value is correct
11. Type commit changes and hit enter to save the new value
12. Type show values to confirm the new value is saved
13. Type q and hit enter
14. Type q and hit enter

A reboot of the DC may be needed.

STATUS:

Defect ID: 348660 - The CA coordinator is not properly querying AD groups for expansion, has been logged and tentatively assigned to be included in Change Auditor 7.3. At the time of writing, there is currently no defined release date for CA 7.3.