Dear all,

Has anyone had any success with using large AD groups with more than 1500 members from ZCM? When viewed from ZCM, these groups show as having no members (and in one strange case, only show 2 of the many members). Consequently we're unable to use these groups for assigning bundles / policies.

In our DEV environment we tried adjusting the "MaxValRange" LDAP search parameter on the domain controller ( as per How to view and set LDAP policy in Active Directory by using Ntdsutil.exe ), which by default was set to 1500, but it did not make any difference.

Looking at the group object in AD, I noticed that in these large groups, the attribute for group members is "member;range=0-1499". For groups with <1500 members, the attribute is simply "member". So I did some research and found OpenLDAP ITS - Message 5472 , which seemed to describe the situation.

It seems that ZCM is unable to interpret the "member;range=0-1499" attribute returned by AD.

What can be the workaround other than breaking the group into many smaller groups? Your insight or suggestion on this matter would be much appreciated.

Oh btw We run ZCM 10.3.1 on Windows platform and AD as user source.

Kind Regards,
Auckland University of Technology