Identity & Access Management and Access Control



LDAP: Query large multi-value attributes

How to get all the values from a large multi-value LDAP-attribute using vbscript


When querying an Active Directory or LDAP-implementation you might run into restrictions on maximum records returned. Especially when groups with more than 1500 members are queried, not all members will show. This tutorial will show how to use the RANGE parameter to get to all the members from an Active Directory group.


Goal is to learn about the use of the RANGE parameter in LDAP queries to Active Directory.


LDAP & VBScript developers


  • access to an Active Directory
  • text editor to create .vbs (VBScript) files
  • command line, possibly with elevated rights


Required knowledge

  • Basic knowledge of LDAP queries
  • Basic knowledge of LDAP restrictions
  • Basic knowledge of Active Directory, groups and users

Required tools

Tutorial lessons

This tutorial exists of a number of lessons which must be followed in order to reach the desired effect. Please review each step by clicking on the title

1 - The RANGE parameter

First we will look at a general search using ldapsearch command using a range parameter
Now we know how the range parameter behaves we can continue with the vbscript.

2 - Query the Active Directory

In this lesson we will look at the script parts that make up the working solution.