locked
How do I resolve the "Size limit exceeded for Get-Adgroupmember" error when listing a group with thousands of members? RRS feed

  • Question

  • Hello,

    I run the following commands from the 2.0 Command line on a Domain Controller to list the members of a large group (thousands of members) and to count the number of objects (measure-object):

    get-adgroupmember "mygroup"

    get-adgroupmember "mygroup" | measure-object

    Get-ADGroupMember : The size limit for this request was exceeded
    At line:1 char:18
    + get-adgroupmember <<<<  "mygroup"
        + CategoryInfo          : NotSpecified: (mygroup:ADGroup) [Get-ADGroupMember], ADException
        + FullyQualifiedErrorId : The size limit for this request was exceeded,Microsoft.ActiveDirectory.Management.Comman
       ds.GetADGroupMember

    What do I need to do to resolve this error?  Thanks in advance.

    Thanks for your help! SdeDot

    Monday, July 9, 2012 11:53 PM

Answers

  • This due to a limitation in AD web services see:

    http://technet.microsoft.com/en-us/library/dd391908%28WS.10%29.aspx

    The default limit is 5000 this can be adjusted in a config file but to keep things consistent you have to update that file on each DC.


    Security

    • Proposed as answer by Racanelv Monday, September 10, 2012 4:56 PM
    • Marked as answer by SdeDot Saturday, April 26, 2014 2:43 AM
    Monday, September 10, 2012 4:55 PM

All replies

  • Hi,

    Please try below code:

    $group =[adsi]”LDAP://CN=Group1,CN=Users,DC=msad,DC=WIN” 
    $members = $group.psbase.invoke("Members") | foreach {$_.GetType().InvokeMember("name",'GetProperty',$null,$_,$null)} 
    $members.count

    $members.count reports the number of users in Group1.
    $members will list all the members of the group.

    This is fairly efficient as well, works well with groups which have members much much more than a thousand.

    In addition, please also refer to the below similar thread:

    http://forums.devshed.com/ldap-programming-76/how-to-get-all-objects-from-ldap-when-size-limit-649795.html

    Regards,

    Yan Li


    Yan Li

    TechNet Community Support

    • Marked as answer by Yan Li_ Thursday, August 9, 2012 5:25 AM
    • Unmarked as answer by Yan Li_ Thursday, August 9, 2012 5:25 AM
    • Proposed as answer by mounsen Thursday, October 25, 2018 1:39 PM
    Tuesday, July 10, 2012 1:50 AM
  • Thanks Yan. That code works, but why doesnt my code work? I would like to get mine to work cause its only a few keywords and much easier and simpler to code.

    Thanks for your help! SdeDot

    Tuesday, July 10, 2012 2:20 AM
  • Do you know exactly how many users you have in your group? I never ran into a limit like this before. What I recommend you can try is to run the code on a different machine, preferably 64bit, running 64bit version of PowerShell to see if it is a memory limitation rather than a Cmdlet limitation.

    Jaap Brasser
    http://www.jaapbrasser.com

    Tuesday, July 10, 2012 6:59 AM
  • Thanks for the response Jaap.

    The number of users is 22652 with this code running on a 64bit R2 Server 2008 DC.


    Thanks for your help! SdeDot

    Tuesday, July 10, 2012 6:50 PM
  • if powershell's AD cmdlets have problems with such a large group is it the case that this group causes you other problems as well? If your only problem occurs when you run a script to examine the group contents, then you could avoid the problem by just not bothering to look at it ;-)

    It could be, though, that the size of the group itself is causing other issues too, that might be alleviated by restructuring. For example, you could think about moving the individual members of the group into a few new groups and adding them as members of the group in question. you would then run your above script on each of the new groups.

    How to split them up, and how to manage the group through other changes would need to be considered. One thing that might work would be to introduce 26 new groups, one for each letter of the alphabet. If the main group was called GROUP, you would move all of the accounts whose names started with "A" into GROUP_A, ... started with "B" into GROUP_B", etc. Then add GROUP_A, GROUP_B, and etc as members of GROUP. This would assume some reasonable distribution of names, and would not work if all of your accounts had a common prefix, as in USER_Smith, etc.


    Al Dunbar

    Tuesday, July 10, 2012 7:28 PM
  • I will do some testing to see if I can replicate the problem, I will get back to your tomorrow to see where the limitation lies.

    Although the work-around offered by Yan Li_ is quite good. In general using [adsi] and [adsisearcher] is the fastest method of querying AD from PowerShell.


    Jaap Brasser
    http://www.jaapbrasser.com

    Tuesday, July 10, 2012 8:04 PM
  • I think this is related to the ADSI limitation of 1500 items for a multi-valued attribute. You should check if the problem indeed occurs if the amount of groupmembers exceeds 1500.
    Wednesday, July 11, 2012 4:27 PM
  • This due to a limitation in AD web services see:

    http://technet.microsoft.com/en-us/library/dd391908%28WS.10%29.aspx

    The default limit is 5000 this can be adjusted in a config file but to keep things consistent you have to update that file on each DC.


    Security

    • Proposed as answer by Racanelv Monday, September 10, 2012 4:56 PM
    • Marked as answer by SdeDot Saturday, April 26, 2014 2:43 AM
    Monday, September 10, 2012 4:55 PM
  • Here is another workaround sample:

    Get-ADGroup "My Group" -Properties Member | 
    Select-Object -ExpandProperty Member |
    Get-ADUser 

    This works because Get-ADUser accepts the DN as pipeline input for the 'Identity' parameter.  See this link for help content for Get-ADUser:

    http://technet.microsoft.com/en-us/library/ee617241.aspx

     

     


    CraigMartin – Edgile, Inc. – http://identitytrench.com

    • Proposed as answer by MK900 Thursday, August 28, 2014 2:27 PM
    Thursday, July 18, 2013 5:27 PM
  • Hi all,

    is it possible to create AD groups with more than 20000 member ?

    Which interface should be used to create users and groups in bulk.
    (LDAPs, RPC, ADSI.... etc.)  i dont know and why ??


    We use Windows 2012 R2 with forest function level 2008 R2.

    We are a campus university and we may have groups like "students" (maybe 12000 Accounts) and "Campus-member" (maybe 20000, each user with an account is member)

    The AD users and groups will be provisioned with an identity management system,
    about LDAPs. 

    I have found MS Paper about AD LDAP Policy ...

    Windows Server 2008 and newer domain controller returns only 5000 values in a LDAP response
    http://support.microsoft.com/kb/200926

    Thank you very much.

    Best regards

    Andi

    Wednesday, April 16, 2014 12:25 PM
  • This is a bit slow, but it works:

    (Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member | Get-ADUser | Measure-Object).count

    Tested with a group that has 21,134 members

    • Proposed as answer by Cody L Belcher Monday, October 22, 2018 8:18 PM
    Monday, April 18, 2016 12:49 AM
  • I managed it on a Windows 2012 member server which query the 2008R2 DC via Network with this:

    [array]$groupmembers = (get-adgroup -identity {groupname} -properties members).members

    [array]$groupmembers.count

    Was fast as hell with 5503 members in a manual created group.
    Interesting was it didn't work with 'Domain Users' :-( - result was a wrong count

    Edit:

    OK, this Domain Users problem was because of the Primary Group membership.

    The -properties members method do not work with the groupmembers primary group. :-(

    So I worked around a different solution - use a CMD command without any limitation:
    [array]$Groupmembers = DSGET.EXE group $GroupDN -members | Where {$_ -NE ""}}

    The Where eliminates the empty line at the end of the DSGET output.

    Otherwise the array owns one element to much.

    Additional the DSGET puts the output elements into "". These must be eliminated too

    in each line for further working, as example with $MemberObject = $MemberObject -replace '[""]',''




    Tuesday, May 17, 2016 10:53 AM
  • Hi!

    I ran into the same problem this afternoon. Here was my solution:

    $group = Get-ADGroup -Identity GROUPNAME -Properties member
    $members = @()
    $members = $group.member
    $members.count

    That group had about 5,400 members.

    -M

    Wednesday, July 6, 2016 9:52 PM
  • 1CuriousKid,

    I ran your script against a large group, "Domain Computers", and I get "0" as the results.  I don't get the error "The size limit for this request was exceeded" anymore, yet I get zero as a count.  Am I missing something here?

    Thanks

    Friday, August 5, 2016 6:52 PM
  • No need for Get-ADuser or Measure-Object... try this:

    @(Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member).count



    Thursday, August 11, 2016 5:31 PM
  • This one is lightning Fast!! Took only 2 seconds to enumerate through some 20k members! 

    kat

    Wednesday, June 21, 2017 6:35 PM
  •  You can use the script below to find the IDs for all users in an AD group which has > 5000 users, and then user Get-ADUser against that list of IDs to get user details.
    $ADGroupName = "YourADGroupName"
    
    $InputPath= "\\BOCNTDFS1.BOC.CHEVRONTEXACO.NET\SHARE\Dropbox\UserCAIs.txt"
    
    $a = @(Get-ADGroup $ADGroupName -Properties Member | Select-Object -ExpandProperty Member)
    
    ForEach ($member in $a)
    {
     $SplitStep1 = ($Member -split ",",2)[0]
     $SplitStep2 = ($SplitStep1 -split "=",2)[1]
     $SplitStep2 = $SplitStep2 | out-file -Append $InputPath
    }
    
    ForEach ($value in (Get-Content $InputPath))
    {
     $b = Get-ADUser -identity $value -properties
    }



    Tuesday, July 11, 2017 6:04 PM
  • I have a group with over 5000 members, and some of the members are in nested groups.. is there a way to use the following method and get the nested members:

    @(Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member).

    My current powershell is failing and I would rather modify the code then ask to update the AD web service.

    Current code:

    $coregroupmembers = Get-ADGroupMember $coregroup -Recursive

    Thanks

    Thursday, November 9, 2017 9:44 PM
  • Hi Craig,

    below cmdlet worked well. However it will give error if the members also contains groups. So here is another way:

    Get-ADGroup "Group Name"  -Properties member |Select-Object -ExpandProperty member|Get-ADObject -Properties Samaccountname,DistinguishedName |select Samaccountname,DistinguishedName,ObjectClass


    Guru

    Friday, November 24, 2017 10:53 AM
  • Your suggestion was exactly what I needed, thank you.

    I think you can simplify this code a bit.  

    (Get-ADGroup "My Group" -Properties Member).Member | Get-ADUser


    Friday, December 8, 2017 2:32 PM
  • worked perfectly to get around the 5k default limit (when I only want the count) Thanks!
    Tuesday, April 17, 2018 2:42 PM
  • I know this is an old (anwered thread), but encountered this in WS2016 AD with a group that has >337k members, for reference:

    Using the command

    @(Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member).count

    it took 93s.

    Using the ADSI method Yan Li suggested, it took 1260s

    Wednesday, May 9, 2018 11:45 AM
  • The ADSI code is slow because it invokes a method to retrieve group membership, then enumerates the resulting collection to retrieve the Name of each member. See how much time is required if you simply count the entries in the member attribute of the group, similar to below:

    $Group = [ADSI]"LDAP://cn=MyGroup,ou=Sales,dc=MyDomain,dc=com"
    $Num = $Group.member.Count
    $Num


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Wednesday, May 9, 2018 3:43 PM
  • What am I missing here? I thought the thread was about listing the names of the users in the group. What good does getting a number count if you don't know who they are?????

    I want to get a list of users and there attributes from large groups but I don't see anyone here really solving that issue.

    Thursday, May 24, 2018 12:37 AM
  • The method mentioned above is a workaround to the Get-ADGroupMember limitation. You get the members when omitting the .Count code and you can get any member (user) properties using the code AndyHJ wrote above.
    Thursday, May 24, 2018 12:48 AM
  • To list member in DN format (displayed as [string])...   

    (Get-ADGroup "GroupName" -Properties member).member

    To count the members...   

    ((Get-ADGroup "GroupName" -Properties member).member).count



    • Edited by AbfSailor Monday, July 16, 2018 6:47 PM format
    • Proposed as answer by AbfSailor Monday, July 16, 2018 6:47 PM
    • Unproposed as answer by AbfSailor Monday, July 16, 2018 6:48 PM
    Monday, July 16, 2018 6:38 PM
  • This also worked for me! Thank you
    Monday, October 22, 2018 8:18 PM
  • Hi!

    I ran into the same problem this afternoon. Here was my solution:

    $group = Get-ADGroup -Identity GROUPNAME -Properties member
    $members = @()
    $members = $group.member
    $members.count

    That group had about 5,400 members.

    -M


    The fastest and working option. Two second for the group with 20000 users.
    Thursday, June 6, 2019 8:11 AM
  • Dude, that's exactly the same as the simplified cmdlets proposed earlier

    $members = (Get-ADGroup -Identity GROUPNAME -Properties member).member

    $count = (Get-ADGroup GROUPNAME -Properties member).member.count

    16978 members group:

    Measure-Command -Expression {(Get-ADGroup GROUPNAME -Properties member).member.count}

    TotalMilliseconds : 354.7558

    • Edited by TrixM Tuesday, August 6, 2019 4:59 AM formatting
    Tuesday, August 6, 2019 4:23 AM
  • Thanks for the simple code. This helped in doing my task..

    Regards, Uma Yellapragada

    Tuesday, February 11, 2020 4:07 AM