Skip to main content
 

How To Configure ADFS To Return More Than The Default 1000 Records

KB002721

PRODUCT
K2 Five

 

When synchronizing identities between K2 and ADFS using the Sync Service (introduced in K2 Five (5.2)), your AD FS server may limit it to 1000 users and groups. If you have more than 1000 users and groups in your domain, use the information in this article to change your LDAP query so that all identities synchronize.

See the Sync Service service type topic in the K2 Five User Guide for more information on manually running and scheduling identity syncs.

 

 

Update your LDAP Query Policy

By default, the LDAP query policies are set to return only 1000 records at a time. You can configure the policy for your environment to return more records, which allows the Sync Service to sync all ADFS identities.

  1. Launch ADSI Edit on your domain. Do this by clicking the Start button and typing 'ADSI Edit' and click ADSI Edit in the search results.
  2. Connect to the Configuration partition by right-clicking ADSI Edit and selecting Connect to... and select Configuration as the connection point as in the image below:
    Image

    Image
  3. In the Configuration partition, in the left pane, browse to the Configuration container then Services > Windows NT > Directory Services and select the Query-Policies container. In the right pane, right-click Default Query Policy and select Properties. Double-click lDAPAdmninLimits to continue.
    Image
  4. Select MaxPageSize=1000 and click the Remove button.
  5. In the Value to add box, set the MaxPageSize to a value greater than the total count of users and groups in your ADFS store. For example MaxPageSize=10000. Click Add and then OK twice to save your changes.
    Image
  6. Manually run an identity sync by following the steps in the topic above. 

 

 

Be the first to reply!

Reply