Powershell Get-ADGroupMember Size Limit

Get-ADGroupMember -identity "Applications" -recursive|
Where-Object {$_.distinguishedName -like "*OU=Apps,OU=Security*" }| 
Select Name,SamAccountName |
Sort -Property Name |
Export-csv -path C:\Members.csv -NoTypeInformation

Purpose: I'm attempting to list users accounts who belong to a specific group but only those users from a specified OU.

The script above ran perfectly yesterday when I wrote it, producing exactly what I need.  However, when I came into work today, and working in the same session of Powershell, I received the following:

Get-ADGroupMember : The size limit for this request was exceeded
At line:1 char:1

I then closed the session and attempted to run this script again but keep receiving the same error.  I don't want to change the ADWS settings to extend the size, is there an alternative or some modification I can do to achieve the same result?

Please advise.  Thanks.

July 26th, 2013 5:20pm

Yes that's one of the annoying limitations of AD cmdlets, which don't seem to be very size friendly.

However, I'm able to list all 21,000 members of one of my groups using Get-ADObject:

$searchRoot = 'OU=Apps,OU=Security,DC=CONTOSO,DC=LOCAL'
if ($groupDN = Get-ADGroup -Filter:{ name -eq 'MyGroup' } -ResultSetSize:1 | Select-Object -ExpandProperty 'DistinguishedName')
{
	$ldapFilter = '(&(objectclass=user)(objectcategory=person)(memberof:1.2.840.113556.1.4.1941:={0}))' -f $groupDN
	Get-ADObject -LDAPFilter:$ldapFilter -SearchBase:$searchRoot -ResultSetSize:$null -ResultPageSize:1000 -Properties:@('samAccountName') | Select-Object 'Name', 'samAccountName' | Sort-Object -Property 'Name' | Export-Csv -Path:'C:\Members.csv' -NoTypeInformation
}

This method bypasses the MaxGroupOrMemberEntries limitation.

  • Marked as answer by Pigtaru Monday, July 29, 2013 4:02 PM
July 26th, 2013 8:34pm

Yes that's one of the annoying limitations of AD cmdlets, which don't seem to be very size friendly.

However, I'm able to list all 21,000 members of one of my groups using Get-ADObject:

$searchRoot = 'OU=Apps,OU=Security,DC=CONTOSO,DC=LOCAL'
if ($groupDN = Get-ADGroup -Filter:{ name -eq 'MyGroup' } -ResultSetSize:1 | Select-Object -ExpandProperty 'DistinguishedName')
{
	$ldapFilter = '(&(objectclass=user)(objectcategory=person)(memberof:1.2.840.113556.1.4.1941:={0}))' -f $groupDN
	Get-ADObject -LDAPFilter:$ldapFilter -SearchBase:$searchRoot -ResultSetSize:$null -ResultPageSize:1000 -Properties:@('samAccountName') | Select-Object 'Name', 'samAccountName' | Sort-Object -Property 'Name' | Export-Csv -Path:'C:\Members.csv' -NoTypeInformation
}

This method bypasses the MaxGroupOrMemberEntries limitation.

  • Marked as answer by Pigtaru Monday, July 29, 2013 4:02 PM
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2013 8:34pm

Thanks Mike and Averjoe, Get-ADObject is the way to go.
July 29th, 2013 4:03pm

This works for me: 

$Members = Get-ADGroup "YourLargeGroup" -Properties Member | Select-Object -ExpandProperty Member

Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2014 1:29pm

This works for me: 

$Members = Get-ADGroup "YourLargeGroup" -Properties Member | Select-Object -ExpandProperty Member


You haven't hit the limit yet then.
May 23rd, 2014 1:36pm

Get-ADGroup doesn't have the same limitation, it's Get-ADGroupMember that has the issue.

The only problem is that Get-ADGroup doesn't include any friendly user information, only the distinguished names.

A popular workaround is to pipe the results of Get-ADGroup into Get-ADUser to provide more friendly information.

(Get-ADGroup "TestGroup" -properties members).members |
Get-ADUser -properties displayName | Select-Object displayName

  • Proposed as answer by xxjergerxx Thursday, October 02, 2014 8:49 PM
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2014 3:17pm

Get-ADGroup doesn't have the same limitation, it's Get-ADGroupMember that has the issue.

The only problem is that Get-ADGroup doesn't include any friendly user information, only the distinguished names.

A popular workaround is to pipe the results of Get-ADGroup into Get-ADUser to provide more friendly information.

(Get-ADGroup "TestGroup" -properties members).members |
Get-ADUser -properties displayName | Select-Object displayName

  • Proposed as answer by xxjergerxx Thursday, October 02, 2014 8:49 PM
May 23rd, 2014 3:17pm

That's what I get for not reading closely enough. =]
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2014 3:23pm

Thank you all this helped resolve my issues with comparing larger groups!
October 2nd, 2014 8:49pm

Thank you. This works like a charm!
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2015 2:03pm

In our case, the one "large group" simply has several other smaller groups as members, so I was able to use your same logic and pipe this back into the Get-ADGroupMember cmdlet such as this:

PS C:\> $SDComm = Get-ADGroup "sd communications" -Properties Member | Select-Object -ExpandProperty Member | Get-ADGroupMember -Recursive

PS C:\> $SDComm.Count
5971

The $SDComm variable contains an array of all the Group Members that you could then do something else with, if needed.

June 10th, 2015 3:52pm

U can go this way as well

get-aduser -filter * -searchBase "ou=users,dc=contoso,dc=com" -properties memberof |
?{$_.memberof -match "groupname"} |
select samaccountname



  • Edited by Mekac 23 hours 49 minutes ago
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2015 3:23am

U can go this way as well

get-aduser -filter * -searchBase "ou=users,dc=contoso,dc=com" -properties memberof |
?{$_.memberof -match "groupname"} |
select samaccountname



  • Edited by Mekac Thursday, June 11, 2015 7:21 AM
June 11th, 2015 7:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics