List Members of Large Group

A PowerShell Version 1.0 script to enumerate the direct members of a large Active Directory group. This script uses ADO range retrieval to overcome the limit of 1500 values that can be retrieved for a multi-valued attribute like the "member" attribute of a group.

4.7 Star
2,961 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
Sign in to ask a question

  • How can I adjust for the output of members to a .csv?
    2 Posts | Last post May 01, 2018
    • I am a new user of PowerShell.  This script is awesome and returned on the screen for a group with over 49,000 members.  However, the output was in my PowerShell console.  Is there a buffer space in PowerShell that I can copy the output data? Or better yet... Is there a place in Do loop or other portion of the script where I can perhaps place a type of export statement for the script results to a .csv file?
      I greatly appreciate any advice.
    • The easiest way to output to a file is to redirect the output. At the PowerShell prompt,call the script with a command similar to:
      EnumLargeGroup.ps1 "MyGroup" > .\Report.csv
  • Single Member Not Returned
    2 Posts | Last post May 01, 2018
    • I love this script and use it extensively!
      However, I have one user in a group of 15,000 members that is not returned into the member array.
      It's not the user because it is returned as a member of other large (and small) groups.
      Have you ever seen this?  I have checked for errors on the $adoCommand.Execute(), and there are none.  This has been a real head-scratcher for me and I have tried several times to solve this with debugging over the last few months.  The code really looks like it is performing flawlessly - it just won't return that single user for this single group.
    • I have not experienced this. Does the user have this group designated as their "primary" group? If not, is the user a direct member of the group, or a member due to group nesting (where the are a member of a child group of the group)? Otherwise, I cannot think of any reason for the user to not be included.
  • Could we also get the class of the members (group vs user)
    1 Posts | Last post January 08, 2016
    • Could we also get the class of the members (group vs user)?
      I've been playing with the $attributes, but I can't get it to give me the class of the members
  • Is it possible to output another property for each member
    2 Posts | Last post September 11, 2015
    • Is it possible to output something other than distinguished name such as username or display name?
    • Yes, it possible to output member attributes other than distinguishedName. However, if the script is to remain compatible with PowerShell Version 1, it requires connecting to AD for each member to retrieve the other attribute values. This will slow the script considerably. However, it will still work. In PowerShell V1 you just use the $Member variable (the DN of each member) to bind to the user object in AD with the [ADSI] accelerator. Then you can retrieve any attributes of the object. In the snippet below (that replaces the ForEach in the code I published) I retrieve both the Name (the Relative Distinguished Name) and the sAMAccountName. Note that contact objects do not have the later, so it will be blank). You can modify the line that outputs for each member.
      ==== code snippet to replace the ForEach in EnumLargeGroup.ps1 =====
              ForEach ($Member In $Members)
                  $ADObject = [ADSI]"LDAP://$Member"
                  $Member + ", " + $ADObject.Name + " (" + $ADObject.sAMAccountName + ")"
                  $Count = $Count + 1
  • How to copy large groups
    1 Posts | Last post August 05, 2015
    • Our Domain Users group is pretty large and I want to copy it to another group but cannot get past the size limit errors and I am unable to find a script here to help. Can you ?
  • does it work with large result sets?
    3 Posts | Last post April 23, 2015
    • In first reading, this appeared to be exactly what I was looking for. Something to get around hard limit set on LDAP results by W2K8 servers (see
      But then you state at the end that "the dsget group command line utility fails if there are more than 1500 members in the group."
      Did you write this script to overcome the W2K8 limitations or not necessarily so?
    • I originally wrote the script in VBScript to overcome ADO limitations in the number of values you can retrieve for a multi-valued attribute, like the member attribute of groups. This limitation has existed since Windows 2000. I converted the script to PowerShell because the same limitations exist.
      The limitation you refer to in the kb article is the maximum number of values that can be retrieved at once in Windows Server 2008 and above (MaxValRange). However, note at the bottom that the solution is to use Range Retrieval (ranged queries), which is what this script does. So, although this script was not written with this limitation in mind, it should overcome it. However, the largest group I tested in my test domain has less than 5000 members.
    • I should also add that the dsget command line utility was introduced in Windows Server 2003. It fails to retrieve all members of a group on Windows Server 2003 if the group has more that 1500 members. However, I just tested this utility on Windows Server 2008 R2, and it does not have this limitation. It successfully retrieved all members of a group with 2200 members.