How do I resolve the "Size limit exceeded for Get-Adgroupmember" error when listing a group with thousands of members?

All replies

• 

  

  10

  Sign in to vote

  Hi,

  Please try below code:

  $group =[adsi]”LDAP://CN=Group1,CN=Users,DC=msad,DC=WIN” 
  $members = $group.psbase.invoke("Members") | foreach {$_.GetType().InvokeMember("name",'GetProperty',$null,$_,$null)} 
  $members.count

  $members.count reports the number of users in Group1.
  $members will list all the members of the group.
  
  This is fairly efficient as well, works well with groups which have members much much more than a thousand.

  In addition, please also refer to the below similar thread:

  http://forums.devshed.com/ldap-programming-76/how-to-get-all-objects-from-ldap-when-size-limit-649795.html

  Regards,

  Yan Li

  ---

  Yan Li

  TechNet Community Support

  

  • Marked as answer by Yan Li_ Thursday, August 9, 2012 5:25 AM
  • Unmarked as answer by Yan Li_ Thursday, August 9, 2012 5:25 AM
  • Proposed as answer by mounsen Thursday, October 25, 2018 1:39 PM

  Tuesday, July 10, 2012 1:50 AM
• 

  

  0

  Sign in to vote

  Thanks Yan. That code works, but why doesnt my code work? I would like to get mine to work cause its only a few keywords and much easier and simpler to code.

  ---

  Thanks for your help! SdeDot

  Tuesday, July 10, 2012 2:20 AM
• 

  

  0

  Sign in to vote

  Do you know exactly how many users you have in your group? I never ran into a limit like this before. What I recommend you can try is to run the code on a different machine, preferably 64bit, running 64bit version of PowerShell to see if it is a memory limitation rather than a Cmdlet limitation.

  ---

  Jaap Brasser
  http://www.jaapbrasser.com

  Tuesday, July 10, 2012 6:59 AM
• 

  

  0

  Sign in to vote

  Thanks for the response Jaap.

  The number of users is 22652 with this code running on a 64bit R2 Server 2008 DC.

  ---

  Thanks for your help! SdeDot

  Tuesday, July 10, 2012 6:50 PM
• 

  

  0

  Sign in to vote

  if powershell's AD cmdlets have problems with such a large group is it the case that this group causes you other problems as well? If your only problem occurs when you run a script to examine the group contents, then you could avoid the problem by just not bothering to look at it ;-)

  It could be, though, that the size of the group itself is causing other issues too, that might be alleviated by restructuring. For example, you could think about moving the individual members of the group into a few new groups and adding them as members of the group in question. you would then run your above script on each of the new groups.

  How to split them up, and how to manage the group through other changes would need to be considered. One thing that might work would be to introduce 26 new groups, one for each letter of the alphabet. If the main group was called GROUP, you would move all of the accounts whose names started with "A" into GROUP_A, ... started with "B" into GROUP_B", etc. Then add GROUP_A, GROUP_B, and etc as members of GROUP. This would assume some reasonable distribution of names, and would not work if all of your accounts had a common prefix, as in USER_Smith, etc.

  ---

  Al Dunbar

  Tuesday, July 10, 2012 7:28 PM
• 

  

  0

  Sign in to vote

  I will do some testing to see if I can replicate the problem, I will get back to your tomorrow to see where the limitation lies.

  Although the work-around offered by Yan Li_ is quite good. In general using [adsi] and [adsisearcher] is the fastest method of querying AD from PowerShell.

  ---

  Jaap Brasser
  http://www.jaapbrasser.com

  Tuesday, July 10, 2012 8:04 PM
• 

  

  0

  Sign in to vote

  I think this is related to the ADSI limitation of 1500 items for a multi-valued attribute. You should check if the problem indeed occurs if the amount of groupmembers exceeds 1500.

  Wednesday, July 11, 2012 4:27 PM
• 

  

  1

  Sign in to vote

  This due to a limitation in AD web services see:

  http://technet.microsoft.com/en-us/library/dd391908%28WS.10%29.aspx

  The default limit is 5000 this can be adjusted in a config file but to keep things consistent you have to update that file on each DC.

  ---

  Security

  • Proposed as answer by Racanelv Monday, September 10, 2012 4:56 PM
  • Marked as answer by SdeDot Saturday, April 26, 2014 2:43 AM

  Monday, September 10, 2012 4:55 PM
• 

  

  20

  Sign in to vote

  Here is another workaround sample:

  Get-ADGroup "My Group" -Properties Member | 
  Select-Object -ExpandProperty Member |
  Get-ADUser 

  This works because Get-ADUser accepts the DN as pipeline input for the 'Identity' parameter.  See this link for help content for Get-ADUser:

  http://technet.microsoft.com/en-us/library/ee617241.aspx

   

   

  ---

  CraigMartin – Edgile, Inc. – http://identitytrench.com

  • Proposed as answer by MK900 Thursday, August 28, 2014 2:27 PM

  Thursday, July 18, 2013 5:27 PM
• 

  

  0

  Sign in to vote

  Hi all,

  is it possible to create AD groups with more than 20000 member ?
  

  Which interface should be used to create users and groups in bulk.
  (LDAPs, RPC, ADSI.... etc.)  i dont know and why ??

  
  We use Windows 2012 R2 with forest function level 2008 R2.

  We are a campus university and we may have groups like "students" (maybe 12000 Accounts) and "Campus-member" (maybe 20000, each user with an account is member)
  
  The AD users and groups will be provisioned with an identity management system,
  about LDAPs. 
  
  I have found MS Paper about AD LDAP Policy ...
  
  Windows Server 2008 and newer domain controller returns only 5000 values in a LDAP response
  http://support.microsoft.com/kb/200926

  Thank you very much.
  

  Best regards

  Andi

  Wednesday, April 16, 2014 12:25 PM
• 

  

  1

  Sign in to vote

  This is a bit slow, but it works:

  (Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member | Get-ADUser | Measure-Object).count

  Tested with a group that has 21,134 members

  • Proposed as answer by Cody L Belcher Monday, October 22, 2018 8:18 PM

  Monday, April 18, 2016 12:49 AM
• 

  

  0

  Sign in to vote

  I managed it on a Windows 2012 member server which query the 2008R2 DC via Network with this:
  

  [array]$groupmembers = (get-adgroup -identity {groupname} -properties members).members

  [array]$groupmembers.count

  Was fast as hell with 5503 members in a manual created group.
  Interesting was it didn't work with 'Domain Users' :-( - result was a wrong count

  Edit:

  OK, this Domain Users problem was because of the Primary Group membership.

  The -properties members method do not work with the groupmembers primary group. :-(

  So I worked around a different solution - use a CMD command without any limitation:
  [array]$Groupmembers = DSGET.EXE group $GroupDN -members | Where {$_ -NE ""}}

  The Where eliminates the empty line at the end of the DSGET output.

  Otherwise the array owns one element to much.

  Additional the DSGET puts the output elements into "". These must be eliminated too

  in each line for further working, as example with $MemberObject = $MemberObject -replace '[""]',''

  
  
  
  

  • Edited by Robert Pieroth Friday, May 20, 2016 1:03 PM

  Tuesday, May 17, 2016 10:53 AM
• 

  

  4

  Sign in to vote

  Hi!

  I ran into the same problem this afternoon. Here was my solution:

  $group = Get-ADGroup -Identity GROUPNAME -Properties member
  $members = @()
  $members = $group.member
  $members.count

  That group had about 5,400 members.

  -M

  • Proposed as answer by Alexey N. Dmitriev Thursday, June 6, 2019 8:09 AM

  Wednesday, July 6, 2016 9:52 PM
• 

  

  0

  Sign in to vote

  1CuriousKid,

  I ran your script against a large group, "Domain Computers", and I get "0" as the results.  I don't get the error "The size limit for this request was exceeded" anymore, yet I get zero as a count.  Am I missing something here?

  Thanks

  Friday, August 5, 2016 6:52 PM
• 

  

  1

  Sign in to vote

  No need for Get-ADuser or Measure-Object... try this:

  @(Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member).count

  
  

  
  

  
  

  • Edited by Gerald W. Gaston Thursday, August 11, 2016 5:32 PM formatting

  Thursday, August 11, 2016 5:31 PM
• 

  

  0

  Sign in to vote

  This one is lightning Fast!! Took only 2 seconds to enumerate through some 20k members! 

  ---

  kat

  Wednesday, June 21, 2017 6:35 PM
• 

  

  1

  Sign in to vote

   You can use the script below to find the IDs for all users in an AD group which has > 5000 users, and then user Get-ADUser against that list of IDs to get user details.

  $ADGroupName = "YourADGroupName"
  
  $InputPath= "\\BOCNTDFS1.BOC.CHEVRONTEXACO.NET\SHARE\Dropbox\UserCAIs.txt"
  
  $a = @(Get-ADGroup $ADGroupName -Properties Member | Select-Object -ExpandProperty Member)
  
  ForEach ($member in $a)
  {
   $SplitStep1 = ($Member -split ",",2)[0]
   $SplitStep2 = ($SplitStep1 -split "=",2)[1]
   $SplitStep2 = $SplitStep2 | out-file -Append $InputPath
  }
  
  ForEach ($value in (Get-Content $InputPath))
  {
   $b = Get-ADUser -identity $value -properties
  }

  
  
  
  

  • Edited by Robert Altmiller Tuesday, July 11, 2017 6:05 PM

  Tuesday, July 11, 2017 6:04 PM
• 

  

  0

  Sign in to vote

  I have a group with over 5000 members, and some of the members are in nested groups.. is there a way to use the following method and get the nested members:

  @(Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member).

  My current powershell is failing and I would rather modify the code then ask to update the AD web service.

  Current code:

  $coregroupmembers = Get-ADGroupMember $coregroup -Recursive

  Thanks

  Thursday, November 9, 2017 9:44 PM
• 

  

  1

  Sign in to vote

  Hi Craig,

  below cmdlet worked well. However it will give error if the members also contains groups. So here is another way:

  Get-ADGroup "Group Name"  -Properties member |Select-Object -ExpandProperty member|Get-ADObject -Properties Samaccountname,DistinguishedName |select Samaccountname,DistinguishedName,ObjectClass

  ---

  Guru

  • Proposed as answer by Gururaj Meghraj Friday, November 24, 2017 10:53 AM

  Friday, November 24, 2017 10:53 AM
• 

  

  1

  Sign in to vote

  Your suggestion was exactly what I needed, thank you.

  I think you can simplify this code a bit.  

  (Get-ADGroup "My Group" -Properties Member).Member | Get-ADUser

  
  

  
  

  Friday, December 8, 2017 2:32 PM
• 

  

  1

  Sign in to vote

  worked perfectly to get around the 5k default limit (when I only want the count) Thanks!

  Tuesday, April 17, 2018 2:42 PM
• 

  

  0

  Sign in to vote

  I know this is an old (anwered thread), but encountered this in WS2016 AD with a group that has >337k members, for reference:

  Using the command

  @(Get-ADGroup "mygroupnamehere" -Properties Member | Select-Object -ExpandProperty Member).count

  it took 93s.

  Using the ADSI method Yan Li suggested, it took 1260s

  Wednesday, May 9, 2018 11:45 AM
• 

  

  0

  Sign in to vote

  The ADSI code is slow because it invokes a method to retrieve group membership, then enumerates the resulting collection to retrieve the Name of each member. See how much time is required if you simply count the entries in the member attribute of the group, similar to below:

  $Group = [ADSI]"LDAP://cn=MyGroup,ou=Sales,dc=MyDomain,dc=com"
  $Num = $Group.member.Count
  $Num

  
  

  ---

  Richard Mueller - MVP Enterprise Mobility (Identity and Access)

  
  

  • Edited by Richard MuellerMVP Wednesday, May 9, 2018 3:43 PM fixed typo

  Wednesday, May 9, 2018 3:43 PM
• 

  

  0

  Sign in to vote

  What am I missing here? I thought the thread was about listing the names of the users in the group. What good does getting a number count if you don't know who they are?????

  I want to get a list of users and there attributes from large groups but I don't see anyone here really solving that issue.

  Thursday, May 24, 2018 12:37 AM
• 

  

  0

  Sign in to vote

  The method mentioned above is a workaround to the Get-ADGroupMember limitation. You get the members when omitting the .Count code and you can get any member (user) properties using the code AndyHJ wrote above.

  Thursday, May 24, 2018 12:48 AM
• 

  

  0

  Sign in to vote

  To list member in DN format (displayed as [string])...   

  (Get-ADGroup "GroupName" -Properties member).member

  To count the members...   

  ((Get-ADGroup "GroupName" -Properties member).member).count

  
  
  

  • Edited by AbfSailor Monday, July 16, 2018 6:47 PM format
  • Proposed as answer by AbfSailor Monday, July 16, 2018 6:47 PM
  • Unproposed as answer by AbfSailor Monday, July 16, 2018 6:48 PM

  Monday, July 16, 2018 6:38 PM
• 

  

  0

  Sign in to vote

  This also worked for me! Thank you

  Monday, October 22, 2018 8:18 PM
• 

  

  0

  Sign in to vote

  Hi!

  I ran into the same problem this afternoon. Here was my solution:

  $group = Get-ADGroup -Identity GROUPNAME -Properties member
  $members = @()
  $members = $group.member
  $members.count

  That group had about 5,400 members.

  -M

  
  The fastest and working option. Two second for the group with 20000 users.
  

  Thursday, June 6, 2019 8:11 AM
• 

  

  0

  Sign in to vote

  Dude, that's exactly the same as the simplified cmdlets proposed earlier

  $members = (Get-ADGroup -Identity GROUPNAME -Properties member).member

  $count = (Get-ADGroup GROUPNAME -Properties member).member.count

  16978 members group:

  Measure-Command -Expression {(Get-ADGroup GROUPNAME -Properties member).member.count}

  TotalMilliseconds : 354.7558

  • Edited by TrixM Tuesday, August 6, 2019 4:59 AM formatting

  Tuesday, August 6, 2019 4:23 AM
• 

  

  0

  Sign in to vote

  Thanks for the simple code. This helped in doing my task..

  ---

  Regards, Uma Yellapragada

  Tuesday, February 11, 2020 4:07 AM