none
Powershell Get-ADGroupMember Size Limit

    Question

  • Get-ADGroupMember -identity "Applications" -recursive|
    Where-Object {$_.distinguishedName -like "*OU=Apps,OU=Security*" }| 
    Select Name,SamAccountName |
    Sort -Property Name |
    Export-csv -path C:\Members.csv -NoTypeInformation

    Purpose: I'm attempting to list users accounts who belong to a specific group but only those users from a specified OU.

    The script above ran perfectly yesterday when I wrote it, producing exactly what I need.  However, when I came into work today, and working in the same session of Powershell, I received the following:

    Get-ADGroupMember : The size limit for this request was exceeded
    At line:1 char:1

    I then closed the session and attempted to run this script again but keep receiving the same error.  I don't want to change the ADWS settings to extend the size, is there an alternative or some modification I can do to achieve the same result?

    Please advise.  Thanks.

    Friday, July 26, 2013 5:20 PM

Answers

  • Yes that's one of the annoying limitations of AD cmdlets, which don't seem to be very size friendly.

    However, I'm able to list all 21,000 members of one of my groups using Get-ADObject:

    $searchRoot = 'OU=Apps,OU=Security,DC=CONTOSO,DC=LOCAL'
    if ($groupDN = Get-ADGroup -Filter:{ name -eq 'MyGroup' } -ResultSetSize:1 | Select-Object -ExpandProperty 'DistinguishedName')
    {
    	$ldapFilter = '(&(objectclass=user)(objectcategory=person)(memberof:1.2.840.113556.1.4.1941:={0}))' -f $groupDN
    	Get-ADObject -LDAPFilter:$ldapFilter -SearchBase:$searchRoot -ResultSetSize:$null -ResultPageSize:1000 -Properties:@('samAccountName') | Select-Object 'Name', 'samAccountName' | Sort-Object -Property 'Name' | Export-Csv -Path:'C:\Members.csv' -NoTypeInformation
    }

    This method bypasses the MaxGroupOrMemberEntries limitation.

    • Marked as answer by Pigtaru Monday, July 29, 2013 4:02 PM
    Friday, July 26, 2013 8:34 PM

All replies

  • Yes that's one of the annoying limitations of AD cmdlets, which don't seem to be very size friendly.

    However, I'm able to list all 21,000 members of one of my groups using Get-ADObject:

    $searchRoot = 'OU=Apps,OU=Security,DC=CONTOSO,DC=LOCAL'
    if ($groupDN = Get-ADGroup -Filter:{ name -eq 'MyGroup' } -ResultSetSize:1 | Select-Object -ExpandProperty 'DistinguishedName')
    {
    	$ldapFilter = '(&(objectclass=user)(objectcategory=person)(memberof:1.2.840.113556.1.4.1941:={0}))' -f $groupDN
    	Get-ADObject -LDAPFilter:$ldapFilter -SearchBase:$searchRoot -ResultSetSize:$null -ResultPageSize:1000 -Properties:@('samAccountName') | Select-Object 'Name', 'samAccountName' | Sort-Object -Property 'Name' | Export-Csv -Path:'C:\Members.csv' -NoTypeInformation
    }

    This method bypasses the MaxGroupOrMemberEntries limitation.

    • Marked as answer by Pigtaru Monday, July 29, 2013 4:02 PM
    Friday, July 26, 2013 8:34 PM
  • Thanks Mike and Averjoe, Get-ADObject is the way to go.
    Monday, July 29, 2013 4:03 PM
  • This works for me: 

    $Members = Get-ADGroup "YourLargeGroup" -Properties Member | Select-Object -ExpandProperty Member

    • Proposed as answer by 10890lrl Monday, April 18, 2016 7:02 PM
    Friday, May 23, 2014 1:29 PM
  • This works for me: 

    $Members = Get-ADGroup "YourLargeGroup" -Properties Member | Select-Object -ExpandProperty Member


    You haven't hit the limit yet then.

    Don't retire TechNet! - (Don't give up yet - 12,830+ strong and growing)

    Friday, May 23, 2014 1:36 PM
    Moderator
  • Get-ADGroup doesn't have the same limitation, it's Get-ADGroupMember that has the issue.

    The only problem is that Get-ADGroup doesn't include any friendly user information, only the distinguished names.

    A popular workaround is to pipe the results of Get-ADGroup into Get-ADUser to provide more friendly information.

    (Get-ADGroup "TestGroup" -properties members).members |
    Get-ADUser -properties displayName | Select-Object displayName

    • Proposed as answer by xxjergerxx Thursday, October 2, 2014 8:49 PM
    Friday, May 23, 2014 3:17 PM
  • That's what I get for not reading closely enough. =]

    Don't retire TechNet! - (Don't give up yet - 12,830+ strong and growing)

    Friday, May 23, 2014 3:23 PM
    Moderator
  • Thank you all this helped resolve my issues with comparing larger groups!
    Thursday, October 2, 2014 8:49 PM
  • Thank you. This works like a charm!

    mamadukes

    Friday, March 20, 2015 5:57 PM
  • In our case, the one "large group" simply has several other smaller groups as members, so I was able to use your same logic and pipe this back into the Get-ADGroupMember cmdlet such as this:

    PS C:\> $SDComm = Get-ADGroup "sd communications" -Properties Member | Select-Object -ExpandProperty Member | Get-ADGroupMember -Recursive
    
    PS C:\> $SDComm.Count
    5971

    The $SDComm variable contains an array of all the Group Members that you could then do something else with, if needed.

    Wednesday, June 10, 2015 7:46 PM
  • U can go this way as well

    get-aduser -filter * -searchBase "ou=users,dc=contoso,dc=com" -properties memberof |
    ?{$_.memberof -match "groupname"} |
    select samaccountname



    • Edited by Mekac Thursday, June 11, 2015 7:21 AM
    Thursday, June 11, 2015 7:20 AM
  • Thank you
    Friday, March 4, 2016 12:53 AM
  • Good but not for all situations. 

    If you have OU with spaces like "OU=Global Groups,DC=contoso,DC=com", you will get this error :

    Get-ADUser : Cannot find an object with identity: 'OU=Global
     Groups,DC=contoso,DC=com' under: 'DC=contoso,DC=com'.

    Any workaround ?

    EDIT : 

    Find a way with this command : 

    Get-aduser -filter * -searchBase "OU=Global Groups,DC=contoso,DC=com" -properties memberof | ?{$_.memberof -match "TestGroup"} | select samaccountname,distinguishedName | Select-Object samaccountname,distinguishedName


    Friday, October 28, 2016 9:36 AM
  • Please do not add new questions to an unrelated topic that has been closed for years.

    \_(ツ)_/

    Friday, October 28, 2016 9:49 AM
    Moderator
  • He is correct.  I was hitting the limit using the O.P.'s logic, and used this instead and no limit error.
    Tuesday, January 31, 2017 11:36 PM
  • <g class="gr_ gr_152 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-ins replaceWithoutSep" data-gr-id="152" id="152">Wow</g> this worked!

    Get-aduser -filter * -searchBase "DC=ad,DC=local" -properties * | ?{$_.memberof -match "Group Name 1"} | Select-Object Name,SurName,GivenName,department,mail,pager,division | export-csv C:\Scripts\report.csv
    Thanks for helping - I've been trying to find a way to do this for at least a day!
    Tuesday, March 27, 2018 2:28 AM