locked
Limit group membership on a security group RRS feed

  • Question

  • Hi all,

    Is it possible to set a limit (like 100) on a AD security group that NOT more than 100 users can be added to such an group?

    Friday, July 3, 2015 9:04 AM

Answers

  • There is no mechanism in Active Directory to impose such a limit. The only way I can think of to do this is to have all admins that manage group memberships use a custom application/script that enforces the limit.

    Richard Mueller - MVP Directory Services

    Friday, July 3, 2015 10:50 AM
  • Actually, I don't think scripting this would be that difficult. But making the script professional, so it handles all situations the way you want, will take some work. Also, no matter what tool or script is used, the limits can be bypassed by using ADUC to add members to the group, or using another script that does not impose limits. The limits are hard coded in the script.

    The following PowerShell script using the AD module cmdlets and assumes that you are only adding user objects to the groups.

    Function AddMember
    {
        # Function to add a user member to a group.
        # Prompt for member to add.
        $Member = Read-Host "Enter user to be added to the group"
    
        # Check if the user exists.
        Try {
                $User = (Get-ADUser -Identity $Member).distinguishedName
            }
        Catch
            {"User $Member not found"; Break}
    
        # Add the user to the group.
        Try
            {
                Add-ADPrincipalGroupMembership -Identity $Member -MemberOf $GroupName   
            }
        Catch 
            {
                "$Member is already a member of $GroupName"
                "Or you lack permissions to add members to the group"
            }
    }
    
    # Prompt for group name.
    $GroupName = Read-Host "Enter Group Name"
    
    #Retrieve number of members in the group.
    Try
        {$Group = (Get-ADGroup -Identity $GroupName -Properties members).members}
    Catch
        {"Group $GroupName not found"; Break}
    $Count = $Group.Count
    
    Switch ($GroupName)
    {
        "Accounting"
            {If ($Count -ge 100)
                 {
                     "Group $GroupName already has 100 members"
                     "No more members can be added"
                 }
             Else {AddMember}
            }
        "cn=Engineering,ou=West,dc=MyDomain,dc=com"
            {If ($Count -ge 100)
                 {
                     "Group $GroupName already has 100 members"
                     "No more members can be added"
                 }
                Else {AddMember}
            }
        "Grade7"
            {If ($Count -ge 50)
                 {
                     "Group $GroupName already has 50 members"
                     "No more members can be added"
                 }
                Else {AddMember}
            }
        "Grade8"
            {If ($Count -ge 50)
                 {
                     "Group $GroupName already has 50 members"
                     "No more members can be added"
                 }
                Else {AddMember}
            }
         Default
             {
                 # Group with no membership limit.
                 AddMember
             }
    }

    If you are interested, this will get you started. I suggest creating one or a few test groups and testing what happens when you add users to the group(s). Test non-existent groups, non-existent users, users that are already members of the group, and groups that already are at the limit. You only need to modify the group names in the Switch statement for your situation. All names (groups and users) must be sAMAccountNames (pre-Windows 2000 names) or distinguished names. I used sAMAccountNames for 3 of the groups in the Switch statement, and a distinguished name for the 4th. You can add or subtract groups in the Switch statement.

    Richard Mueller - MVP Directory Services


    Friday, July 3, 2015 3:04 PM

All replies

  • There is no mechanism in Active Directory to impose such a limit. The only way I can think of to do this is to have all admins that manage group memberships use a custom application/script that enforces the limit.

    Richard Mueller - MVP Directory Services

    Friday, July 3, 2015 10:50 AM
  • Hi Richard, is there maybe a 3rd party tool available which would be able to do it like "Quest Active Roles" or so?
    Friday, July 3, 2015 11:07 AM
  • I can't think of a way to do it with native tools. However, as already mentioned above, you can do it with third-party tools. E.g. if you are using Adaxes, you just create a Rule that runs before you add a user to a group and if the limit is exceeded, it just aborts the operation. You can store the limits in group properties (and impose it as a requred field when creating a group) for and just grab them from there automatically.

    Obviously, scripting all that stuff is an option but it would be harder and would be much more difficult to maintain. 

    Friday, July 3, 2015 11:31 AM
  • OK, thank you. I will look into such 3rd party tools.
    Friday, July 3, 2015 11:51 AM
  • Actually, I don't think scripting this would be that difficult. But making the script professional, so it handles all situations the way you want, will take some work. Also, no matter what tool or script is used, the limits can be bypassed by using ADUC to add members to the group, or using another script that does not impose limits. The limits are hard coded in the script.

    The following PowerShell script using the AD module cmdlets and assumes that you are only adding user objects to the groups.

    Function AddMember
    {
        # Function to add a user member to a group.
        # Prompt for member to add.
        $Member = Read-Host "Enter user to be added to the group"
    
        # Check if the user exists.
        Try {
                $User = (Get-ADUser -Identity $Member).distinguishedName
            }
        Catch
            {"User $Member not found"; Break}
    
        # Add the user to the group.
        Try
            {
                Add-ADPrincipalGroupMembership -Identity $Member -MemberOf $GroupName   
            }
        Catch 
            {
                "$Member is already a member of $GroupName"
                "Or you lack permissions to add members to the group"
            }
    }
    
    # Prompt for group name.
    $GroupName = Read-Host "Enter Group Name"
    
    #Retrieve number of members in the group.
    Try
        {$Group = (Get-ADGroup -Identity $GroupName -Properties members).members}
    Catch
        {"Group $GroupName not found"; Break}
    $Count = $Group.Count
    
    Switch ($GroupName)
    {
        "Accounting"
            {If ($Count -ge 100)
                 {
                     "Group $GroupName already has 100 members"
                     "No more members can be added"
                 }
             Else {AddMember}
            }
        "cn=Engineering,ou=West,dc=MyDomain,dc=com"
            {If ($Count -ge 100)
                 {
                     "Group $GroupName already has 100 members"
                     "No more members can be added"
                 }
                Else {AddMember}
            }
        "Grade7"
            {If ($Count -ge 50)
                 {
                     "Group $GroupName already has 50 members"
                     "No more members can be added"
                 }
                Else {AddMember}
            }
        "Grade8"
            {If ($Count -ge 50)
                 {
                     "Group $GroupName already has 50 members"
                     "No more members can be added"
                 }
                Else {AddMember}
            }
         Default
             {
                 # Group with no membership limit.
                 AddMember
             }
    }

    If you are interested, this will get you started. I suggest creating one or a few test groups and testing what happens when you add users to the group(s). Test non-existent groups, non-existent users, users that are already members of the group, and groups that already are at the limit. You only need to modify the group names in the Switch statement for your situation. All names (groups and users) must be sAMAccountNames (pre-Windows 2000 names) or distinguished names. I used sAMAccountNames for 3 of the groups in the Switch statement, and a distinguished name for the 4th. You can add or subtract groups in the Switch statement.

    Richard Mueller - MVP Directory Services


    Friday, July 3, 2015 3:04 PM