Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, July 9, 2012 11:53 PM | 2 votes
Hello,
I run the following commands from the 2.0 Command line on a Domain Controller to list the members of a large group (thousands of members) and to count the number of objects (measure-object):
get-adgroupmember "mygroup"
get-adgroupmember "mygroup" | measure-object
Get-ADGroupMember : The size limit for this request was exceeded
At line:1 char:18
+ get-adgroupmember <<<< "mygroup"
+ CategoryInfo : NotSpecified: (mygroup:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : The size limit for this request was exceeded,Microsoft.ActiveDirectory.Management.Comman
ds.GetADGroupMember
What do I need to do to resolve this error? Thanks in advance.
Thanks for your help! SdeDot
All replies (29)
Monday, September 10, 2012 4:55 PM ✅Answered | 1 vote
This due to a limitation in AD web services see:
http://technet.microsoft.com/en-us/library/dd391908%28WS.10%29.aspx
The default limit is 5000 this can be adjusted in a config file but to keep things consistent you have to update that file on each DC.
Security
Tuesday, July 10, 2012 1:50 AM | 10 votes
Hi,
Please try below code:
$group =[adsi]”LDAP://CN=Group1,CN=Users,DC=msad,DC=WIN” $members = $group.psbase.invoke("Members") | foreach {$_.GetType().InvokeMember("name",'GetProperty',$null,$_,$null)} $members.count
$members.count reports the number of users in Group1.
$members will list all the members of the group.
This is fairly efficient as well, works well with groups which have members much much more than a thousand.
In addition, please also refer to the below similar thread:
Regards,
Yan Li
Yan Li
TechNet Community Support
Tuesday, July 10, 2012 2:20 AM
Thanks Yan. That code works, but why doesnt my code work? I would like to get mine to work cause its only a few keywords and much easier and simpler to code.
Thanks for your help! SdeDot
Tuesday, July 10, 2012 6:59 AM
Do you know exactly how many users you have in your group? I never ran into a limit like this before. What I recommend you can try is to run the code on a different machine, preferably 64bit, running 64bit version of PowerShell to see if it is a memory limitation rather than a Cmdlet limitation.
Jaap Brasser
http://www.jaapbrasser.com
Tuesday, July 10, 2012 6:50 PM
Thanks for the response Jaap.
The number of users is 22652 with this code running on a 64bit R2 Server 2008 DC.
Thanks for your help! SdeDot
Tuesday, July 10, 2012 7:28 PM
if powershell's AD cmdlets have problems with such a large group is it the case that this group causes you other problems as well? If your only problem occurs when you run a script to examine the group contents, then you could avoid the problem by just not bothering to look at it ;-)
It could be, though, that the size of the group itself is causing other issues too, that might be alleviated by restructuring. For example, you could think about moving the individual members of the group into a few new groups and adding them as members of the group in question. you would then run your above script on each of the new groups.
How to split them up, and how to manage the group through other changes would need to be considered. One thing that might work would be to introduce 26 new groups, one for each letter of the alphabet. If the main group was called GROUP, you would move all of the accounts whose names started with "A" into GROUP_A, ... started with "B" into GROUP_B", etc. Then add GROUP_A, GROUP_B, and etc as members of GROUP. This would assume some reasonable distribution of names, and would not work if all of your accounts had a common prefix, as in USER_Smith, etc.
Al Dunbar
Tuesday, July 10, 2012 8:04 PM
I will do some testing to see if I can replicate the problem, I will get back to your tomorrow to see where the limitation lies.
Although the work-around offered by Yan Li_ is quite good. In general using [adsi] and [adsisearcher] is the fastest method of querying AD from PowerShell.
Jaap Brasser
http://www.jaapbrasser.com
Wednesday, July 11, 2012 4:27 PM
I think this is related to the ADSI limitation of 1500 items for a multi-valued attribute. You should check if the problem indeed occurs if the amount of groupmembers exceeds 1500.
Thursday, July 18, 2013 5:27 PM | 20 votes
Here is another workaround sample:
Get-ADGroup "My Group" -Properties Member |
Select-Object -ExpandProperty Member |
Get-ADUser
This works because Get-ADUser accepts the DN as pipeline input for the 'Identity' parameter. See this link for help content for Get-ADUser:
http://technet.microsoft.com/en-us/library/ee617241.aspx
CraigMartin – Edgile, Inc. – http://identitytrench.com
Wednesday, April 16, 2014 12:25 PM
Hi all,
is it possible to create AD groups with more than 20000 member ?
Which interface should be used to create users and groups in bulk.
(LDAPs, RPC, ADSI.... etc.) i dont know and why ??
We use Windows 2012 R2 with forest function level 2008 R2.
We are a campus university and we may have groups like "students" (maybe 12000 Accounts) and "Campus-member" (maybe 20000, each user with an account is member)
The AD users and groups will be provisioned with an identity management system,
about LDAPs.
I have found MS Paper about AD LDAP Policy ...
Windows Server 2008 and newer domain controller returns only 5000 values in a LDAP response
http://support.microsoft.com/kb/200926
Thank you very much.
Best regards
Andi
Monday, April 18, 2016 12:49 AM | 1 vote
This is a bit slow, but it works:
(Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member | Get-ADUser | Measure-Object).count
Tested with a group that has 21,134 members
Tuesday, May 17, 2016 10:53 AM
I managed it on a Windows 2012 member server which query the 2008R2 DC via Network with this:
[array]$groupmembers = (get-adgroup -identity {groupname} -properties members).members
[array]$groupmembers.count
Was fast as hell with 5503 members in a manual created group.
Interesting was it didn't work with 'Domain Users' :-( - result was a wrong count
Edit:
OK, this Domain Users problem was because of the Primary Group membership.
The -properties members method do not work with the groupmembers primary group. :-(
So I worked around a different solution - use a CMD command without any limitation:
[array]$Groupmembers = DSGET.EXE group $GroupDN -members | Where {$_ -NE ""}}
The Where eliminates the empty line at the end of the DSGET output.
Otherwise the array owns one element to much.
Additional the DSGET puts the output elements into "". These must be eliminated too
in each line for further working, as example with $MemberObject = $MemberObject -replace '[""]',''
Wednesday, July 6, 2016 9:52 PM | 4 votes
Hi!
I ran into the same problem this afternoon. Here was my solution:
$group = Get-ADGroup -Identity GROUPNAME -Properties member
$members = @()
$members = $group.member
$members.count
That group had about 5,400 members.
-M
Friday, August 5, 2016 6:52 PM
1CuriousKid,
I ran your script against a large group, "Domain Computers", and I get "0" as the results. I don't get the error "The size limit for this request was exceeded" anymore, yet I get zero as a count. Am I missing something here?
Thanks
Thursday, August 11, 2016 5:31 PM | 1 vote
No need for Get-ADuser or Measure-Object... try this:
@(Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member).count
Wednesday, June 21, 2017 6:35 PM
This one is lightning Fast!! Took only 2 seconds to enumerate through some 20k members!
kat
Tuesday, July 11, 2017 6:04 PM | 1 vote
You can use the script below to find the IDs for all users in an AD group which has > 5000 users, and then user Get-ADUser against that list of IDs to get user details.
$ADGroupName = "YourADGroupName"
$InputPath= "\\BOCNTDFS1.BOC.CHEVRONTEXACO.NET\SHARE\Dropbox\UserCAIs.txt"
$a = @(Get-ADGroup $ADGroupName -Properties Member | Select-Object -ExpandProperty Member)
ForEach ($member in $a)
{
$SplitStep1 = ($Member -split ",",2)[0]
$SplitStep2 = ($SplitStep1 -split "=",2)[1]
$SplitStep2 = $SplitStep2 | out-file -Append $InputPath
}
ForEach ($value in (Get-Content $InputPath))
{
$b = Get-ADUser -identity $value -properties
}
Thursday, November 9, 2017 9:44 PM
I have a group with over 5000 members, and some of the members are in nested groups.. is there a way to use the following method and get the nested members:
@(Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member).
My current powershell is failing and I would rather modify the code then ask to update the AD web service.
Current code:
$coregroupmembers = Get-ADGroupMember $coregroup -Recursive
Thanks
Friday, November 24, 2017 10:53 AM | 1 vote
Hi Craig,
below cmdlet worked well. However it will give error if the members also contains groups. So here is another way:
Get-ADGroup "Group Name" -Properties member |Select-Object -ExpandProperty member|Get-ADObject -Properties Samaccountname,DistinguishedName |select Samaccountname,DistinguishedName,ObjectClass
Guru
Friday, December 8, 2017 2:32 PM | 1 vote
Your suggestion was exactly what I needed, thank you.
I think you can simplify this code a bit.
(Get-ADGroup "My Group" -Properties Member).Member | Get-ADUser
Tuesday, April 17, 2018 2:42 PM | 1 vote
worked perfectly to get around the 5k default limit (when I only want the count) Thanks!
Wednesday, May 9, 2018 11:45 AM
I know this is an old (anwered thread), but encountered this in WS2016 AD with a group that has >337k members, for reference:
Using the command
@(Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member).count
it took 93s.
Using the ADSI method Yan Li suggested, it took 1260s
Thursday, May 24, 2018 12:37 AM
What am I missing here? I thought the thread was about listing the names of the users in the group. What good does getting a number count if you don't know who they are?????
I want to get a list of users and there attributes from large groups but I don't see anyone here really solving that issue.
Thursday, May 24, 2018 12:48 AM
The method mentioned above is a workaround to the Get-ADGroupMember limitation. You get the members when omitting the .Count code and you can get any member (user) properties using the code AndyHJ wrote above.
Monday, July 16, 2018 6:38 PM
To list member in DN format (displayed as [string])...
(Get-ADGroup "GroupName" -Properties member).member
To count the members...
((Get-ADGroup "GroupName" -Properties member).member).count
Monday, October 22, 2018 8:18 PM
This also worked for me! Thank you
Thursday, June 6, 2019 8:11 AM
Hi!
I ran into the same problem this afternoon. Here was my solution:
$group = Get-ADGroup -Identity GROUPNAME -Properties member $members = @() $members = $group.member $members.countThat group had about 5,400 members.
-M
The fastest and working option. Two second for the group with 20000 users.
Tuesday, August 6, 2019 4:23 AM
Dude, that's exactly the same as the simplified cmdlets proposed earlier
$members = (Get-ADGroup -Identity GROUPNAME -Properties member).member
$count = (Get-ADGroup GROUPNAME -Properties member).member.count
16978 members group:
Measure-Command -Expression {(Get-ADGroup GROUPNAME -Properties member).member.count}
TotalMilliseconds : 354.7558
Tuesday, February 11, 2020 4:07 AM
Thanks for the simple code. This helped in doing my task..
Regards, Uma Yellapragada