none
Get-ADGroupMember : The size limit for this request was exceeded RRS feed

  • Question

  • I am trying to extract all members of global groups from AD. Some of the groups will have either Users, Groups or Computer objects in them. Some will contain a mixture of Users and Groups. The problem I have is that some groups have more than 5000 members and that group is not reported out to csv and I can not get past this issue. The script I have included will report out the required information on any combination of  members, but will fail on a group with over 5000 members.  Any assistance would help.
    $Groups = Get-ADGroup "GroupName" 
    
    $Results = ForEach( $Group in $Groups )
    {
        Get-ADGroupMember -Identity $Groups |
        ForEach {
    
    [pscustomobject]@{
                      Group  = $Group.Name
                      Name   = $_.samaccountname
                      DSName = $_.Distinguishedname
                     }
    
                } | Export-Csv -NoTypeInformation "u:\temp\AllGlobalGroupMembersTest.CSV"
    
    }


    Wednesday, April 3, 2019 8:32 PM

All replies

  • Your code is quite faulty.  You are trying to get groups from a group which doesn't make sense given your question.

    Start here. This gives all global groups:

    Get-ADGroup -Filter {GroupScope -eq 'Global'}

    The following gets the members of all global groups:

    Get-ADGroup -Filter {GroupScope -eq 'Global'} | Get-AdGroupMember

    You can add a select to the  end to format the properties you want.


    \_(ツ)_/

    Wednesday, April 3, 2019 9:06 PM
  • I think I may have not been too clear. The above code uses a single group as an example. I could have used an array or a filter as you descibed.

    My code above works perfectly and only requires a simple modification to get all global groups from AD however, 

    Get-ADGroup -Filter {GroupScope -eq 'Global'} | Get-AdGroupMember returns :

    "Get-AdGroupMember : The size limit for this request was exceeded"

    when it is run against a group with over 5000 members.  Reporting on groups with more than 5000 members with members being in any combination of Users, Groups and Computers is what I need to achieve.

    Wednesday, April 3, 2019 10:25 PM
  • Then your admins have likely set a max query result limit in AD to prevent large queries from bogging the AD server down.

    You can search for articles on how to do a partitioned query.  There is an LDAP filter syntax that allows you to query AD in pieces.

    https://stackoverflow.com/questions/46078880/get-adgroupmember-the-size-limit-for-this-request-was-exceeded

    There are many approaches that can work.  Search to find more.  Also look in the Gallery for ones that use ADSI directly.


    \_(ツ)_/


    • Edited by jrv Wednesday, April 3, 2019 11:00 PM
    Wednesday, April 3, 2019 10:57 PM