Trying to list members of groups with more than 5000

Question

_{Tuesday, April 4, 2017 5:40 PM}

I am trying to write a script to do 3 things:

1. Select all groups starting with "ROLE_*"

2. For each group from 1, list all members

3. Write to file.

I have been using this, which works well until it hits a group with more than 5000 members:

Import-Module ActiveDirectory

$Groups = (Get-AdGroup -filter * | Where {$_.name -like "ROLE_*"} | select name -expandproperty name)

$Table = @()

$Record = [ordered]@{
"Group Name" = ""
"Name" = ""
"Username" = ""
}


Foreach ($Group in $Groups)
{

$Arrayofmembers = Get-ADGroupMember -identity $Group | select name,samaccountname

foreach ($Member in $Arrayofmembers)
{
$Record."Group Name" = $Group
$Record."Name" = $Member.name
$Record."UserName" = $Member.samaccountname
$objRecord = New-Object PSObject -property $Record
$Table += $objrecord

}

}

$Table | export-csv "C:\Users\user\Desktop\BOGroups.csv" -NoTypeInformation

Unfortunately, this only works on groups that have 5000 or less members. When run against larger groups, I get this error:

Get-ADGroupMember : The size limit for this request was exceeded
At line:19 char:19
+ $Arrayofmembers = Get-ADGroupMember -identity $Group | select name,samaccountnam ...
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*    + CategoryInfo          : NotSpecified: (ROLE_CSR:ADGroup) [Get-ADGroupMember], ADException*
*    + FullyQualifiedErrorId : The size limit for this request was exceeded,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember*

Since I am only interested in users who are active, I thought limiting the results to only accounts that are not disabled might reduce the number below 5000... but I do not know how to do that. Any ideas?

I am also open to other/better ways to accomplish this, if anyone has suggestions.

Thanks.

All replies (10)

_{Tuesday, April 4, 2017 5:47 PM}

I am only aware of a work around.  Run this with the values you need and export-cvs

(Get-ADGroup -Identity $Group -Properties Members).Members | Get-ADUser | Select-Object name,samAccountName | Export-Csv u:\groupmembers.csv

_{Tuesday, April 4, 2017 6:26 PM}

This is a drawback of the cmdlet Get-Adgroupmember, it can’t fetch the report of any group which exceeds more than 1500 users. A way to fetch the report is using the below syntax.

(Get-ADGroup -Identity BrassRing -Properties Members).Members

The output of above piece of code is the list of distinguishedName of the users. You can get the name and SamAccountname of those users by passing the output using pipeline to Get-ADUser cmdlet.

_{Tuesday, April 4, 2017 6:53 PM}

Richard - I tried your suggestion and got this:

Get-User : The term 'Get-User' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the *
path is correct and try again.
At line:5 char:23
+     $ArrayOfMembers = Get-User -Filter {(Enabled -eq $True) -And (memberOf -eq $ ...
+                       ~~~~~~~~
*    + CategoryInfo          : ObjectNotFound: (Get-User:String) [], CommandNotFoundException
*    + FullyQualifiedErrorId : CommandNotFoundException*

So I changed "Get-User" to "Get-ADUser" and got the following:

Get-ADUser : Cannot process argument because the value of argument "path" is not valid. Change the value of the "path" argument and run the operation again.
At line:5 char:23
+     $ArrayOfMembers = Get-ADUser -Filter {(Enabled -eq $True) -And (memberOf -eq ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*    + CategoryInfo          : NotSpecified: (:) [Get-ADUser], PSArgumentException*
*    + FullyQualifiedErrorId : Cannot process argument because the value of argument "path" is not valid. Change the value of the "path" argument and run the operation again.,Microsoft.ActiveDir *
*   ectory.Management.Commands.GetADUser*

Any ideas?

_{Wednesday, April 5, 2017 12:42 AM}

No, first of all thank you for your post. Second, I was not correcting you, just noting what happened when I changed it to Get-ADUser and I was hoping you might have some more guidance on the resulting error.

Thank you for making the edit to the code. I just tried the edited code and got this:

Get-ADUser : Cannot process argument because the value of argument "path" is not valid. Change the value of the "path" argument and run the *
operation again.
At line:5 char:23
+     $ArrayOfMembers = Get-ADUser -Filter {(Enabled -eq $True) -And (memberOf -eq ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*    + CategoryInfo          : NotSpecified: (:) [Get-ADUser], PSArgumentException
*    + FullyQualifiedErrorId : Cannot process argument because the value of argument "path" is not valid. Change the value of the "path" argument  *
*   and run the operation again.,Microsoft.ActiveDirectory.Management.Commands.GetADUser*

Any ideas? It seems like it's getting closer.

Thanks again.

_{Wednesday, April 5, 2017 1:06 AM}

Tried with the new line, same error. I really appreciate your help.

_{Wednesday, April 5, 2017 2:23 PM}

Interesting... I get the following when I run this:

The property 'Group Name' cannot be found on this object. Verify that the property exists and can be set.
At line:9 char:9
+         $Record."Group Name" = $Group.Name
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException*
*    + FullyQualifiedErrorId : PropertyNotFound*
 
The property 'Name' cannot be found on this object. Verify that the property exists and can be set.
At line:10 char:9
+         $Record."Name" = $Member.Name
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException*
*    + FullyQualifiedErrorId : PropertyNotFound*
 
The property 'UserName' cannot be found on this object. Verify that the property exists and can be set.
At line:11 char:9
+         $Record."UserName" = $Member.sAMAccountName
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException*
*    + FullyQualifiedErrorId : PropertyNotFound*
 
Method invocation failed because [System.Management.Automation.PSObject] does not contain a method named 'op_Addition'.
At line:13 char:9
+         $Table += $objrecord
+         ~~~~~~~~~~~~~~~~~~~~
*    + CategoryInfo          : InvalidOperation: (op_Addition:String) [], RuntimeException*

_{Thursday, April 6, 2017 1:28 PM}

> Interesting... I get the following when I run this:

You missed the "in partial" statement of Richard. He has some surrounding code that creates a table and some records :-)

Here's not the place to get "solutions ready for production", but rather "tips how to create your own solution".

_{Friday, April 7, 2017 2:56 PM}

My most sincere apologies... I thought I made it clear that I was attempting to solve a very specific issue, not learn how to code in powershell.

Thanks for this very informative post.

_{Friday, April 7, 2017 3:03 PM}

Thanks for your assistance Richard; I will find a different way to do this. I do not have coding/scripting experience, so need very specific details... as you have by now realized. Apologies for taking up your time.

_{Friday, April 7, 2017 4:27 PM}

Try this one I published in the gallery:

https://gallery.technet.microsoft.com/scriptcenter/Get-ADGroupMemberAttributep-2663d468

It uses a "paged search" and thus doesn't have a limit to the number of group members it can retrieve.

You have to provide it a distinguished name for the group, but it does support the pipeline.

-- Bill Stewart [Bill_Stewart]