none
Powershell Get-ADGroupMember Size Limit

    Question

  • Get-ADGroupMember -identity "Applications" -recursive|
    Where-Object {$_.distinguishedName -like "*OU=Apps,OU=Security*" }| 
    Select Name,SamAccountName |
    Sort -Property Name |
    Export-csv -path C:\Members.csv -NoTypeInformation

    Purpose: I'm attempting to list users accounts who belong to a specific group but only those users from a specified OU.

    The script above ran perfectly yesterday when I wrote it, producing exactly what I need.  However, when I came into work today, and working in the same session of Powershell, I received the following:

    Get-ADGroupMember : The size limit for this request was exceeded
    At line:1 char:1

    I then closed the session and attempted to run this script again but keep receiving the same error.  I don't want to change the ADWS settings to extend the size, is there an alternative or some modification I can do to achieve the same result?

    Please advise.  Thanks.

    Friday, July 26, 2013 5:20 PM

Answers

  • Yes that's one of the annoying limitations of AD cmdlets, which don't seem to be very size friendly.

    However, I'm able to list all 21,000 members of one of my groups using Get-ADObject:

    $searchRoot = 'OU=Apps,OU=Security,DC=CONTOSO,DC=LOCAL'
    if ($groupDN = Get-ADGroup -Filter:{ name -eq 'MyGroup' } -ResultSetSize:1 | Select-Object -ExpandProperty 'DistinguishedName')
    {
    	$ldapFilter = '(&(objectclass=user)(objectcategory=person)(memberof:1.2.840.113556.1.4.1941:={0}))' -f $groupDN
    	Get-ADObject -LDAPFilter:$ldapFilter -SearchBase:$searchRoot -ResultSetSize:$null -ResultPageSize:1000 -Properties:@('samAccountName') | Select-Object 'Name', 'samAccountName' | Sort-Object -Property 'Name' | Export-Csv -Path:'C:\Members.csv' -NoTypeInformation
    }

    This method bypasses the MaxGroupOrMemberEntries limitation.

    • Marked as answer by Pigtaru Monday, July 29, 2013 4:02 PM
    Friday, July 26, 2013 8:34 PM

All replies