List Members of multible AD Groups with more than 5000 Users

0
votes

How could I get a List of Members on multible AD Groups with more than 5000 Users Example: Group1 = includes 6000 Members and Group2 Group2 = includes 7000 Members

the result of the get-adgroupmember of Group1 should 13000

how can I do that? Here I have the Problem, that it will not look in sub groups recursive will not work with get-adgroup

$group = "group1"
$ADInfo = Get-ADGroup -Identity $Group -Properties Members 
$outputfile = $group
$ADInfo.Members | get-aduser | Select name, enabled, UserPrincipalName, SamAccountName  

#$ADInfo.Members | get-aduser | Select name, enabled, UserPrincipalName, SamAccountName  | Export-Csv c:\temp\$outputfile-member.csv -Delimiter "," -NoTypeInformation

# to show output
$members = @()
$members = $ADInfo.members
$members.count
2
powershellactive-directory
You can try, then post your code here and we'll tell you where you went wrong.Scepticalist

2 Answers

0
votes

With groups that large, it will be slow, but this should do what you want:

$groups = 'group1', 'group2'  # array of group names

foreach ($group in $groups) {
    Write-Host "Working on group '$group'"
    $result = Get-ADGroupMember -Identity $group -Recursive | Where-Object { $_.objectClass -eq 'user' } | ForEach-Object {
        Get-ADUser -Identity $_.distinguishedName | Select-Object Name, Enabled, UserPrincipalName, SamAccountName
    }
    # show result on screen
    $result | Format-Table -AutoSize

    # write to export file
    $result | Export-Csv -Path "c:\temp\$group-members.csv" -NoTypeInformation
}

Hope that helps

0
votes

The easiest solution would be to adjust the MaxGroupOrMemberEntries parameter in ADWS on the DC you are targeting. You can see information on ADWS defaults here.

You could do something like the following, which is potentially convoluted:

function Get-ADGroupMembers
{
        param ($groupname)

    Get-ADGroupMember $groupname | where ObjectClass -eq 'Group' | ForEach-Object {
            $_.Name
            Get-ADGroupMembers $_.Name
        }

}

$maingroup = 'group1'
$subgroups = Get-ADGroupMembers $maingroup
$allGroups = @($maingroup)+@($subgroups)
$regexEscapes = $allGroups |% { [regex]::Escape($_) }
$filter = "CN=({0})" -f ($regexEscapes -join "|")
$output = foreach ($group in $allGroups) {
    Get-AdGroup $group -Properties Members | Select @{n='Members';e={$_.Members -notmatch $filter}}
}
$output.Members

Explanation:

The function will list the Name property value for each recursively discovered member group.

Since the -notmatch regex operator is used in filtering, a regex match string needs to be constructed. There could be multiple groups so the | (regex OR) character needs to be used.

The [regex]::Escape method escapes all backslashes and other special regex characters that may appear in the name strings.

$output is an array of PSCustomObjects that contain the Members property. The Members property contains the DN of all members that are users.

Non-PowerShell commands may be better suited for this particular case if the ADWS default limits are not modified.