CODEWITHSUNDEEP
powershellactive-directory
Dheebs
Dheebs

Reputation: 418

Powershell - Get-AdGroupMember exceeding limit

I have the following query 

$Groups = (Get-AdGroup -filter * | Where     {
            ($_.name -like "*") 

} | select ObjectGUID -expandproperty ObjectGUID)


$Table = @()

$Record = [ordered]@{
    "Group _ObjectGUID" = ""
    "Name" = ""
    "SamAccountName" = ""
    "Member_ObjectGUID" = ""
}


Foreach ($Group in $Groups)
{
    $Arrayofmembers = Get-ADGroupMember -Recursive -identity $Group  | select name,samaccountname,ObjectGUID

    foreach ($Member in $Arrayofmembers)
    {
        $Record."Group _ObjectGUID" = $Group
        $Record."Name" = $Member.name
        $Record."SamAccountName" = $Member.SamAccountName
        $Record."Member_ObjectGUID" = $Member.ObjectGUID
        $objRecord = New-Object PSObject -property $Record
        $Table += $objrecord
    }

}

$Table | export-csv "C:\temp\AD_group_members.txt" -NoTypeInformation

however i am unable to execute the query as it exceeds the maximum ad return of 5000 it specifically returns the following error message

Get-ADGroupMember : The size limit for this request was exceeded At line:22 char:20 + $Arrayofmembers = Get-ADGroupMember -Recursive -identity $Group | select name, ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (70206804-1c23-4e47-8e9e-e8fb7c688826:ADGroup) [Get-ADGroupMember], ADException + FullyQualifiedErrorId : The size limit for this request was exceeded,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

I can't think of a way to trim this down to get around this because the solution of changing the config on all the domain controllers (300ish) is not an option.

Anyone got any suggestions?

Upvotes: 3

Views: 14283

Answers (1)

Jesse S.
Jesse S.

Reputation: 88

I ran into this problem just today as well. What you have to do is get the group with the properties of member:

$ADInfo = Get-ADGroup -Identity $Group -Properties Members

Now, $ADInfo holds the group and it's members. To get the list of members:

$ADInfo.Members

And if you want the members AD record, do the following:

$ADInfo.Members | Get-ADComputer

Or you can put it all together:

(Get-ADGroup -Identity $Group -Properties Members).Members | Get-ADComputer

I'm using the Get-ADComputer but the same works for Get-ADUser.

Upvotes: 5

Related Questions