Skip navigation
This discussion is archived

Only a portion of AD users showing in Workgroup Manager

1443 Views 7 Replies Latest reply: Jan 15, 2009 11:23 AM by Ken_Edgar RSS
Ken_Edgar Level 1 Level 1 (30 points)
Currently Being Moderated
Nov 3, 2008 8:01 AM
I have setup a test 10.5.5 server. I bound to AD, then set to OD Master. I am able to see and manage AD accounts, but only 983 of over 2000 user accounts actually are showing up.

Any suggestions?

Thank you,
Mixed environment, Mac OS X (10.5.5)
  • Antonio Rocco Level 6 Level 6 (10,100 points)
    Hi Ken

    I have noticed that WGM can struggle to show more than 1000 entries. This was certainly true in my experience for 10.4 Server. I have seen similar behaviour in 10.5. Having said that I have managed to view up to 2,500 AD Users and Groups using WGM recently. In that sense it does seem to be inconsistent?

    Not much of a surprise really all things considered! Server Admin behaves in a similar fashion as well.

    What you can try is launch WGM and select Preferences from the WGM Menu. You'll see an option to "List a maximum of _ records." Enable this and define a number. See if that helps? What you can also try is using the filter to search for records you can't see. Odds are it will list them. Whilst you are in WGM's Preferences menu enable the "Show all records tab and inspector". This is extremely useful as it will allow you to browse information coming from the AD schema itself as seen by WGM.

    I have seen a similar problem with AD Users and Groups not showing correctly in WGM - actually it was more they disappeared and reappeared at random - which was down to SMB Digital Signing not being properly disabled on the DC. If that happens you can issue this command from Terminal after binding with the AD plug-in:

    sudo dsconfigad -packetsign disable -packetencrypt disable

    Once issued it should report "Settings successfully changed". To verify both options are off issue:

    sudo dsconfigad -show

    It should show (at the bottom of the list) packet sign = disable, packet encrypt = disable. It's a good idea to issue this anyway when integrating macs into AD regardless of what is disabled or enabled on the DC.

  • Antonio Rocco Level 6 Level 6 (10,100 points)
    Hi Ken

    Its a good idea to get them to check again. It's not enough for them to be "Not Defined". They must be "Disabled". You may have to get them to check not only the Domain Security Policies but also the Domain Controller Security Policies. I've also known it take some time for those settings to fully propagate outwards.

    I know its difficult for you to track down but some Windows Admins apply GPOs at the top OU level which can give permissions problems when accessing home folders for Mac clients. If it turns out that everything is as it should be then I guess it is simply WGM's inconsistent ability to show you any more than you currently see. Who knows if you wait a few weeks they may all appear in their full and unadulterated glory. What a surprise that will be!

  • foilpan Level 4 Level 4 (1,385 points)
    did you set a limit to the number of records wgm will display? check the prefs.

    also, can you search for records that don't show up automatically or use a * in the search field to show all?
    macbook pro 2.16 ghz, powerbook G4 1ghz, G4 400 mhz, poweredge and some junkers, Mac OS X (10.5.5)


More Like This

  • Retrieving data ...

Bookmarked By (0)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.