In some Active Directory installations, a group with a member attribute above a certain limit returns the result in a ranged attribute. What this means is that the attribute returned from the query is not "member" but "member;range=0-1499". The client is then expected to do further queries to get the rest of the members, e.g. "member;range=1500-*" and so on.
The vt-ldap config has an option (searchResultHandlers) for a multi-valued list of search result handler classes. However, Grouper needs to be aware of this property when reading the grouper-loader.properties file.
Long term, it may be worthwhile to refactor the property configuration in the loader, to make better use of vt-ldap's built-in handling. Currently, many of the loader properties are parallels of vt-ldap properties, just prepended with different strings. Changing the Grouper code to read in native vt-ldap properties would allow the full range of settable properties to be available. The search result handler in particular has built-in support for parsing and instantiating the comma-delimited list of handler classes. Since it only works in the context of an input stream, my modifications couldn't use it. Instead, I had to reinvent a similar approach.