Get-ADGroup with -recursive is not working?

Question

I am using get-adgroupmember command to fetch all the users in an AD group. -recursive is helping me fetch members from child groups if any in the parent group as well.

However, get-adgroupmember has an upper limit of 5000 entries only.

To tackle this if i use:

Get-ADGroup -Identity "DEPT_120_SA" -server "A" -Properties * | select-object -expandproperty members |get-aduser

this doesnt work as my Parent AD has child ADs and -recursive is not accepted by get-adgroup.

Error:

Get-ADGroup : A parameter cannot be found that matches parameter name 'recursive'. At line:2 char:79 + Get-ADGroup -Identity "DEPT_120_SA" -server "mhf.mhc" -Properties * -recursive <<<< | select-object -expandproperty members + CategoryInfo : InvalidArgument: (:) [Get-ADGroup], ParameterBindingException + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

my aim is to display username and their mail iDS and this works for me:

Get-ADGroupMember -server $domain -identity $s -Recursive -ErrorAction Stop | Get-AdUser -Properties mail -ErrorAction Stop | select sAmAccountName, Mail

Any workaround ? (I am willing to write a recursive function to fetch large groups, but there must be a shorter and direct way)

Answer 1

The 5000 limit applies only to Get-ADGroupMembers not Get-ADUsers, so we can use the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941).

For example:

Get-AdUser -LdapFilter "(memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,DC=ad,DC=local)"

where cn=group,cn=users,DC=ad,DC=local is the distinguished name of the group you want members for.