List Members of Large Group

A PowerShell Version 1.0 script to enumerate the direct members of a large Active Directory group. This script uses ADO range retrieval to overcome the limit of 1500 values that can be retrieved for a multi-valued attribute like the "member" attribute of a group.

 
 
 
 
 
4.7 Star
(6)
2,733 times
Add to favorites
Active Directory
10/18/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • How can I adjust for the output of members to a .csv?
    1 Posts | Last post July 26, 2017
    • I am a new user of PowerShell.  This script is awesome and returned on the screen for a group with over 49,000 members.  However, the output was in my PowerShell console.  Is there a buffer space in PowerShell that I can copy the output data? Or better yet... Is there a place in Do loop or other portion of the script where I can perhaps place a type of export statement for the script results to a .csv file?
      I greatly appreciate any advice.
  • Could we also get the class of the members (group vs user)
    1 Posts | Last post January 08, 2016
    • Could we also get the class of the members (group vs user)?
      
      I've been playing with the $attributes, but I can't get it to give me the class of the members
  • Is it possible to output another property for each member
    2 Posts | Last post September 11, 2015
    • Is it possible to output something other than distinguished name such as username or display name?
    • Yes, it possible to output member attributes other than distinguishedName. However, if the script is to remain compatible with PowerShell Version 1, it requires connecting to AD for each member to retrieve the other attribute values. This will slow the script considerably. However, it will still work. In PowerShell V1 you just use the $Member variable (the DN of each member) to bind to the user object in AD with the [ADSI] accelerator. Then you can retrieve any attributes of the object. In the snippet below (that replaces the ForEach in the code I published) I retrieve both the Name (the Relative Distinguished Name) and the sAMAccountName. Note that contact objects do not have the later, so it will be blank). You can modify the line that outputs for each member.
      ==== code snippet to replace the ForEach in EnumLargeGroup.ps1 =====
              ForEach ($Member In $Members)
              {
                  $ADObject = [ADSI]"LDAP://$Member"
                  $Member + ", " + $ADObject.Name + " (" + $ADObject.sAMAccountName + ")"
                  $Count = $Count + 1
              }
      
  • How to copy large groups
    1 Posts | Last post August 05, 2015
    • Our Domain Users group is pretty large and I want to copy it to another group but cannot get past the size limit errors and I am unable to find a script here to help. Can you ?
  • does it work with large result sets?
    3 Posts | Last post April 23, 2015
    • In first reading, this appeared to be exactly what I was looking for. Something to get around hard limit set on LDAP results by W2K8 servers (see https://support.microsoft.com/en-us/kb/2009267)
      But then you state at the end that "the dsget group command line utility fails if there are more than 1500 members in the group."
      Did you write this script to overcome the W2K8 limitations or not necessarily so?
      Thanks!
    • I originally wrote the script in VBScript to overcome ADO limitations in the number of values you can retrieve for a multi-valued attribute, like the member attribute of groups. This limitation has existed since Windows 2000. I converted the script to PowerShell because the same limitations exist.
      The limitation you refer to in the kb article is the maximum number of values that can be retrieved at once in Windows Server 2008 and above (MaxValRange). However, note at the bottom that the solution is to use Range Retrieval (ranged queries), which is what this script does. So, although this script was not written with this limitation in mind, it should overcome it. However, the largest group I tested in my test domain has less than 5000 members.
    • I should also add that the dsget command line utility was introduced in Windows Server 2003. It fails to retrieve all members of a group on Windows Server 2003 if the group has more that 1500 members. However, I just tested this utility on Windows Server 2008 R2, and it does not have this limitation. It successfully retrieved all members of a group with 2200 members.