Query on LDAP

Question

Hi All,

I am facing an issue with LDAP queries on macOS when retrieving Active Directory group memberships.

I have both a Windows and a macOS device. On Windows, when I query a user’s group memberships against a domain controller using PowerShell (Get-ADPrincipalGroupMembership), I get the expected count. To my knowledge, this cmdlet does not rely solely on a basic LDAP query and is able to resolve nested group memberships.

However, when I perform an LDAP search from macOS for the same user, I receive fewer group memberships. For example, Windows returns around 150 groups, whereas macOS returns only about 100. I suspect that macOS is not retrieving all nested group memberships, but I am not entirely sure.

Is there any limitation or default restriction in LDAP queries from macOS (such as size limits, lack of paging, or attribute constraints) that could cause this discrepancy?Any guidance would be appreciated.

Answer 1

Hello Glenn Maxwell,

The difference you’re seeing is not unusual, Windows PowerShell cmdlets like Get-ADPrincipalGroupMembership are designed to resolve nested group memberships, whereas a basic LDAP query typically only returns the direct memberships unless you explicitly configure it to expand further.

On macOS, LDAP queries often have default constraints such as size limits (commonly 1000 entries), lack of paging support, or omission of attributes like memberOf expansion. This means you may only see a subset of groups unless you adjust the query to handle paging or use recursive logic to walk through nested groups.

I recommend checking whether your macOS LDAP client supports paged results and whether you can query for the tokenGroups attribute. tokenGroups is what Windows uses internally to resolve nested memberships, and it will give you a more complete picture. Keep in mind that not all LDAP tools on macOS expose this attribute by default.

Another useful test is to run the same query against the domain controller using a tool like ldapsearch with paging enabled, and compare results. If paging or recursion is missing, you’ll consistently see fewer groups.

I hope the response provided some helpful insight. If it clarified the issue for you, please consider marking it as Accept Answer so others with the same issue can find the solution. Feel free to repy if you need further information.

Jason.

Answer 2

Hello Glenn Maxwell,

I’m following up to check whether the issue has been resolved. Feel free to reply if you need further information. If the information provided was helpful, please click "Accept Answer" to help others in the community. Thank you!

Answer 3

The discrepancy is most likely caused by server‑side LDAP limits on how many values of a multivalued attribute (such as memberOf) a domain controller will return in a single response, not by a macOS‑specific client limit.

On modern Windows Server domain controllers, LDAP behavior is governed by LDAP policy settings such as:

• MaxPageSize – limits the number of objects returned in a search result page.
• MaxValRange – limits how many values of a multivalued attribute are returned.

For large groups or users with many group memberships, MaxValRange is particularly important. If the number of group memberships exceeds this limit, the domain controller returns only up to that many values for the attribute, and the rest are effectively truncated in the LDAP response.

The article on LDAP responses from Windows Server 2008 and newer domain controllers shows an example LDAP policy configuration:

MaxPageSize 50000
MaxValRange 25000

If these values are lower (or if other LDAP policy limits are in effect), an LDAP client such as the one on macOS that simply reads memberOf (or does a straightforward LDAP search) will only see the subset of memberships that the DC returns.

By contrast, Get-ADPrincipalGroupMembership on Windows does not just read the raw memberOf attribute. It uses Active Directory logic to resolve nested group memberships and can perform multiple queries and server‑side expansion, so it often returns more complete results than a single basic LDAP query.

Key points for the behavior observed:

1. Windows PowerShell cmdlets (like Get-ADPrincipalGroupMembership) use AD Web Services and directory APIs that:
   • Resolve nested group memberships.
   • Are not limited to a single memberOf read.
2. A basic LDAP search from macOS:
   • Reads only what the DC returns in the LDAP response.
   • Is subject to LDAP policy limits such as MaxValRange and MaxPageSize.
   • Does not automatically expand nested groups unless explicitly implemented in the client logic.

To investigate and mitigate:

1. Check LDAP policy on a domain controller using ntdsutil (as described in the referenced article) and verify values for MaxPageSize and MaxValRange.
2. If necessary and appropriate for the environment, adjust these LDAP policy values so that the DC can return all group memberships for heavily nested or highly populated accounts.
3. Ensure the macOS LDAP query logic accounts for nested groups if the goal is to match Get-ADPrincipalGroupMembership behavior; this typically requires additional queries or server‑side controls beyond a single attribute read.

---

References:

• Windows Server 2008 and newer domain controller returns only 5000 values in an LDAP response
• When you run an LDAP query against a domain controller, you obtain a partial attribute list
• Performing an Attribute Scope Query