Again about troubleshooting AD Powershell queries – This operation returned because the timeout period expired,Microsoft.ActiveDirectory.Management.Commands.GetADUser

By Andrei Ungureanu - Last updated: Saturday, November 19, 2016 - Save & Share - Leave a Comment

I was previously writing about some timeouts when getting data from Active Directory using Powershell cmdlets. Another thing that usually pops up when dealing with large amounts of data in AD is a default timeout of 2 minutes for each page search. This means that the time spend by the server to retrieve a page of results can’t take longer than 2 minutes. So in order to get rid of this error you’ll probably need to adjust the page size using the ResultPageSize parameter. Set that to a lower value so that the server can fill up a page and return it to you faster. Another way will be to improve your filter or target specific objects or OUs so that the amount of data searched is smaller.

The Powershell help also have some good comments about this:

  Timeout Behavior
    The following statements specify timeout conditions within the Active
    Directory module and describe what can be done about a timeout them.

    The default Active Directory module timeout for all operations is 2

    For search operation, the Active Directory module uses paging control
    with a 2-minute timeout for each page search.

    Note: Because a search may involve multiple server page requests the
    overall search time may exceed 2 minutes.

    A TimeoutException error indicates that a timeout has occurred.

    For a search operation, you can choose to use a smaller page size, set
    with the ResultPageSize parameter, if you are getting a TimeoutException

    If after trying these changes you are still getting a TimeoutException
    error, consider optimizing your filter using the guidance in the
    Optimizing Filters section of this topic.

  Optimizing Filters
    You can enhance the search filter behavior by using these guidelines.

    Avoid using the Recursive parameter as it intensifies resource usage of
    the search operation.

    Avoid using bitwise AND operators and bitwise OR operators. For more
    information, see the Supported Operators section of this topic.

    Avoid using the logical NOT operator.

    Break down your search into multiple queries with narrower conditions.
Also check the ADWS docs on how to change the MaxPullTimeout timeout value:

Specifies the maximum allowed time-out value that a client computer can set when it retrieves one page of search results. Set this parameter to a higher value if slow wide area network (WAN) traffic results in a time-out value for returning one page of search results that is longer than two minutes


The ADWS service processes search requests from client computers in the following manner:

A client submits a search request.

The ADWS service establishes a search context and returns a search context ID to the client computer.

Using this search context ID, the client computer issues a page request to extract the search results specifying how many LDAP objects can be returned per page.

MaxPullTimeout controls the maximum amount of time a client can ask the ADWS service to spend retrieving a page of results, while MaxEnumContextExpiration is the maximum time that the search context can be kept open.

And if you still don’t understand what a “page” is, here’s the MSDN documentation:

Hope this makes everything clear and some of you will be able to fix their problematic queries.

Posted in Active Directory, Scripting • Tags: , Top Of Page

Write a comment