locked
Powershell Script Error When Trying to Export AD Group Membership With Over 5000 Objects RRS feed

  • Question

  • I have a script that exports all active directory groups and group members and also obtains nested group memberships but it tends to fail on groups that are over 5000 objects. I receive the error message. I've also tried a few other scripts but run into the same issue.

    Get-ADGroupMember : The size limit for this request was exceeded

    At C:\Users\**FILE NAME**.ps1:25 char:23

    + ... rrayofmembers = Get-ADGroupMember -identity $Group -recursive | selec ...

    +                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        + CategoryInfo          : NotSpecified: (Domain Users:ADGroup) [Get-ADGroupMember], ADException

        + FullyQualifiedErrorId : ActiveDirectoryServer:8227,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

    Import-Module ActiveDirectory
    
    $Groups = (Get-AdGroup -filter * | Where {$_.name -like "**"} | select SamAccountName -expandproperty SamAccountName)
    $Table = @()
    $Record = @{
        "Group Name" = ""
        "Name" = ""
        "Username" = ""
        }
    
    Foreach ($Group in $Groups)
        {
        $Arrayofmembers = Get-ADGroupMember -identity $Group -recursive | select name,samaccountname
        foreach ($Member in $Arrayofmembers)
            {
            $Record."Group Name" = $Group
            $Record."Name" = $Member.name
            $Record."UserName" = $Member.samaccountname
            $objRecord = New-Object PSObject -property $Record
            $Table += $objrecord
            }
        }
    
    $Table | export-csv "AD_GROUPS.csv" -NoTypeInformation -Append

    Thursday, June 22, 2017 5:36 PM

Answers

  • Yes I understand that a group can have more than 5000 members. That is not the problem. The problem is getting PowerShell to display the members of these groups with over 5000 members.

    In my environment I was able to get the script to work by modifying Microsoft.ActiveDirectory.WebServices.exe.config file, under %WINDIR%\ADWS directory on the domain controller as mentioned in the link provided by Syst3m32. Although this worked for me, I still needed to find a workaround because changing the config file at a client site is not an option. The final fix was not to use the Get-ADGroupMember command and instead I used the command (Get-ADGroup $Group -properties members).members


    • Marked as answer by Chester64.2 Friday, June 30, 2017 1:32 PM
    • Edited by Chester64.2 Friday, June 30, 2017 1:32 PM
    Friday, June 30, 2017 1:32 PM

All replies

  • What is your Forest Functional Level (FFL)? Before Windows Server 2003 FFL groups were limited to about 5000 members. If the FFL is Windows Server 2003 or above, the member attribute of groups can use linked value replication (LVR). Instead of replicating the entire attribute when there is an update, only the updates are replicated. This removes the 5000 member limit.

    But if members were added to the group before the FFL was raised they could be "legacy". If they are legacy, they will not take advantage of linked value replication. I don't recall seeing where the Get-ADGroupMember cmdlet had a problem with legacy values, but it sounds like it could be the cause of your issue.

    If this sounds like your problem, this Wiki explains:

    https://social.technet.microsoft.com/wiki/contents/articles/32132.active-directory-allow-linked-multi-valued-attributes-to-use-lvr.aspx

    It links this script to find groups with legacy values:

    https://gallery.technet.microsoft.com/Find-All-AD-Objects-With-7360a74b

    and this script to fix a group:

    https://gallery.technet.microsoft.com/Fix-Legacy-Members-of-a-e69d69db


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by Hello_2018 Tuesday, June 27, 2017 9:45 AM
    • Unproposed as answer by Chester64.2 Wednesday, June 28, 2017 10:20 PM
    Thursday, June 22, 2017 6:20 PM
  • Unfortunately modifying a config file on a client's server is not an option.
    Wednesday, June 28, 2017 9:57 PM
  • To test out the Legacy value theory, I created a new security group, created 5100 test users (imported via csv), and added the test users to the security group. Then I tested the security group using the suggested method in the link you provided with the command "repadmin /showobjmeta ...". It shows "Present" for all members. When I run Get-ADGroupMember for that group it still fails saying "

    Get-ADGroupMember : The size limit for this request was exceeded"

    Wednesday, June 28, 2017 10:20 PM
  • To test out the Legacy value theory, I created a new security group, created 5100 test users (imported via csv), and added the test users to the security group. Then I tested the security group using the suggested method in the link you provided with the command "repadmin /showobjmeta ...". It shows "Present" for all members. When I run Get-ADGroupMember for that group it still fails saying "

    Get-ADGroupMember : The size limit for this request was exceeded"

    You miss the point.  A group can always have more than 5000 members.  It  is the ADSI API that limits this by a value set in AD. In modern AD this restriction can be disabled as long as no programs are dependent on it.  Once disabled then we can retrieve more values but you may need to set the AD internal limit and fix the legacy groups to allow replication before the API can return them.


    \_(ツ)_/

    Wednesday, June 28, 2017 10:25 PM
  • Yes I understand that a group can have more than 5000 members. That is not the problem. The problem is getting PowerShell to display the members of these groups with over 5000 members.

    In my environment I was able to get the script to work by modifying Microsoft.ActiveDirectory.WebServices.exe.config file, under %WINDIR%\ADWS directory on the domain controller as mentioned in the link provided by Syst3m32. Although this worked for me, I still needed to find a workaround because changing the config file at a client site is not an option. The final fix was not to use the Get-ADGroupMember command and instead I used the command (Get-ADGroup $Group -properties members).members


    • Marked as answer by Chester64.2 Friday, June 30, 2017 1:32 PM
    • Edited by Chester64.2 Friday, June 30, 2017 1:32 PM
    Friday, June 30, 2017 1:32 PM