O R G A N I C / F E R T I L I Z E R: powershell: limitation on retrieving members of a group

Sep 25, 2014

powershell: limitation on retrieving members of a group

If you have large group memberships, you might have already run into a limitation with Get-ADGroupMember where the cmdlet will fail with this message:

get-adgroupmember : The size limit for this request was exceeded
At line:1 char:1

(Don’t believe me? Go ahead; try it. I’ll wait.)

It seems the limitation comes up when you query a group with more than 5000 members. The easiest way to get around this would be for Microsoft to come up with a switch that let’s you set the size limit. That’s probably also the longest wait. :) Not to worry, there are ways to get around it.

 

Get-QADGroupMember. Remember this cmdlet? It’s a part of the Quest AD cmdlets. Of course, Quest no longer exists after being gobbled up by Dell so your mileage may vary. It does include a –SizeLimit switch so you can merrily bypass the limitations with it.

Get-ADGroup. If you query the group for its member property and expand it, you can get around the size limit. Here’s how it’s done:

Get-ADGroup myLargeGroup -Properties member | Select-Object -ExpandProperty member

 

Get-ADObject. This AD cmdlet to retrieve objects generically is useful also to get around this limitation. It’s pretty much the same as above. Just use Select-Object to expand the property.

Get-ADObject -LDAPFilter "(&(objectcategory=group)(name=myLargeGroup))" -Properties Member | Select-Object -ExpandProperty member

 

DirectorySearcher. I wouldn’t recommend doing this unless you actually feel like you need to or want a challenge. It’ll be more typing (or realistically, more cutting and pasting) than you want to do. It does seem much faster. Haven’t timed it though.

([adsisearcher]"name=myLargeGroup").FindOne() | % { $_.GetDirectoryEntry() | Select-Object –ExpandProperty member} 

 

Active Directory Web Service. The last thing you can do is modify the webservice.exe.config file and change the MaxGroupOrMemberEntries value. This will affect the behavior of other cmdlets as well. I haven’t tried this myself since the other workarounds are fine for me so make sure you read Jason Yoder’s post on this and TEST it out: http://mctexpert.blogspot.com/2013/07/how-to-exceed-maximum-number-of-allowed.html