LDAP: why would the following use of DirectoryEntry return no members for a large global security group?

Question

The following code works for 90+ % of global security groups, but for one very large global security group, it returns an enumerator, but no member objects of the group, even though the group has many thousands.

DirectoryEntry group = groupResult.GetDirectoryEntry();
filter = "member;range=0-20";
group.RefreshCache(new[] { filter });
PropertyValueCollection groupMembers = group.Properties["member"];
IEnumerator iEnum = groupMembers.GetEnumerator();
//On one large global security group, this returns a valid iEnum, 
//but no member entries.  The group has thousands.
//This code works for every other group I've encountered.

Answer 1

The problem may not be with your code, but with access security in your directory - you may not have rights to enumerate the members of that group.

Answer 2

Is it possible that the LDAP server has limits set on how large a return set, or amount of time it may spend, in a single response?

As always, test with a third party LDAP Browser and see if you can get it that way. That tests the authentication and rights issue, as well as whether the server is limiting the size or time of the response.