none
Active Directory Web Services and Get-ADGroupMember RRS feed

  • Question

  • I have an issue when using Get-ADGroupMember on Server 2008 R2 SP1 Domain Controllers. There is a 5000 member limit on Group Membership as explained in the following link https://technet.microsoft.com/en-us/library/dd391908(WS.10).aspx.

    The message is as expected "Get-ADGroupMember : The size limit for this request was exceeded".

    When I add the line to the Microsoft.ActiveDirectory.WebServices.exe.config file  <add key="MaxGroupOrMemberEntries" value="7000" /> the error continues, however the message changes to "Get-ADGroupMember : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running".

    I have also added the "OperationTimeout" value which makes no difference. I have set this to five minutes as per the following entry <add key="OperationTimeout" value="00:05:00" />

    I know that we could rewrite the PowerShell scripts to not use Get-ADGroupMember, however the preference would be to keep the scripts as they are.

    The environment is a large environment and it would be our preference to have Get-ADGroupMember working.

    The DC's are running .NET 4.5, cureent domain functional level is Windows Server 2008 R2

    I am after any help on making this work?

    Thanks in advance.


    David Furlong


    • Edited by DMF_Axiom Monday, July 11, 2016 3:05 AM
    • Moved by Bill_Stewart Wednesday, October 5, 2016 7:34 PM Abandoned
    Monday, July 11, 2016 3:02 AM

All replies

  • Hi David. 

    Yes this is a feature of Active Directory and affects all methods of reading collections (group membership).  The guidance in the documentation shows methods for querying the members in batches and incrementing through the batches.

    For changes to the way AD works you would have to contact Microsoft directly.  This forum is not a support forum but is a user community for scripting and not a support group for Active Directory.  You can post in the Directory Services forum for specific AD assistance.

    Here is one method for enumerating large groups: https://www.petri.com/enumerating-members-of-large-active-directory-groups

    Here is the method I have used with VBScript and PowerShell: https://blogs.msdn.microsoft.com/tswift/2009/04/29/powershell-enumerating-a-ldap-group-with-a-large-1500-number-of-users/

    Hope this helps.

    How long is a fur-long? 


    \_(ツ)_/

    Monday, July 11, 2016 3:38 AM
  • Hi JRV,

    Thank you for the information. I will explore the direction for enumerating large groups.

    By the way a Furlong is 1/8 of a mile or approx 200 metres :)

    Thanks,

    David Furlong


    David Furlong

    Monday, July 11, 2016 4:24 AM
  • .

    By the way a Furlong is 1/8 of a mile or approx 200 metres :)

    Thanks,

    David Furlong


    If you are a Roman it is a Stadium which is somewhat off.  If you are an Englishman it is the length of your "furrow". If you are a jockey it is usually 7 to 12 of them and your but is really sore.

    Good luck with the links.


    \_(ツ)_/

    Monday, July 11, 2016 4:27 AM