Hi all,
Is it possible to set a limit (like 100) on a AD security group that NOT more than 100 users can be added to such an group?
Limit group membership on a security group
July 3rd, 2015 5:11am
There is no mechanism in Active Directory to impose such a limit. The only way I can think of to do this is to have all admins that manage group memberships use a custom application/script that enforces the limit.
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2015 6:57am
Hi Richard, is there maybe a 3rd party tool available which would be able to do it like "Quest Active Roles" or so?
July 3rd, 2015 7:14am
I can't think of a way to do it with native tools. However, as already mentioned above, you can do it with third-party tools. E.g. if you are using Adaxes, you just create a Rule that runs before you add a user to a group and if the limit is exceeded, it just aborts the operation. You can store the limits in group properties (and impose it as a requred field when creating a group) for and just grab them from there automatically.
Obviously, scripting all that stuff is an option but it would be harder and would be much more difficult to maintain.
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2015 7:37am
OK, thank you. I will look into such 3rd party tools.
July 3rd, 2015 7:58am
Actually, I don't think scripting this would be that difficult. But making the script professional, so it handles all situations the way you want, will take some work. Also, no matter what tool or script is used, the limits can be bypassed by using ADUC to add members to the group, or using another script that does not impose limits. The limits are hard coded in the script.
The following PowerShell script using the AD module cmdlets and assumes that you are only adding user objects to the groups.
Function AddMember
{
# Function to add a user member to a group.
# Prompt for member to add.
$Member = Read-Host "Enter user to be added to the group"
# Check if the user exists.
Try {
$User = (Get-ADUser -Identity $Member).distinguishedName
}
Catch
{"User $Member not found"; Break}
# Add the user to the group.
Try
{
Add-ADPrincipalGroupMembership -Identity $Member -MemberOf $GroupName
}
Catch
{
"$Member is already a member of $GroupName"
"Or you lack permissions to add members to the group"
}
}
# Prompt for group name.
$GroupName = Read-Host "Enter Group Name"
#Retrieve number of members in the group.
Try
{$Group = (Get-ADGroup -Identity $GroupName -Properties members).members}
Catch
{"Group $GroupName not found"; Break}
$Count = $Group.Count
Switch ($GroupName)
{
"Accounting"
{If ($Count -ge 100)
{
"Group $GroupName already has 100 members"
"No more members can be added"
}
Else {AddMember}
}
"cn=Engineering,ou=West,dc=MyDomain,dc=com"
{If ($Count -ge 100)
{
"Group $GroupName already has 100 members"
"No more members can be added"
}
Else {AddMember}
}
"Grade7"
{If ($Count -ge 50)
{
"Group $GroupName already has 50 members"
"No more members can be added"
}
Else {AddMember}
}
"Grade8"
{If ($Count -ge 50)
{
"Group $GroupName already has 50 members"
"No more members can be added"
}
Else {AddMember}
}
Else
{
# Group with no membership limit.
AddMember
}
}
If you are interested, this will get you started. I suggest creating one or a few test groups and testing what happens when you add users to the group(s). Test non-existent groups, non-existent users, users that are already members of the group, and groups that already are at the limit. You only need to modify the group names in the Switch statement for your situation. All names (groups and users) must be sAMAccountNames (pre-Windows 2000 names) or distinguished names. I used sAMAccountNames for 3 of the groups in the Switch statement, and a distinguished name for the 4th. You can add or subtract groups in the Switch statement.
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2015 11:11am
This topic is archived. No further replies will be accepted.
Other recent topics
