How to fix: Get-ADGroupMember : The size limit for this request was exceeded

Working in a larger Active Directory environment I occasionally got the error:

When trying to read all the members (recursively) of an AD Group.
This was annoying since in the alternatives are limited especially when using the -recursive option.
You could try with:

or

However these don’t have the recursive option.

And why look for an alternative since you have the Get-ADGroupMember option it just seems to be limited.  Which in all fairness is a good safety precaution, because you don’t want to accidentally run a command with 5 million results.

The default limit is 5.000 objects. And this is a limit from the Active Directory Web Service. This limit only applies to these three cmdlets:

ADWS is a requirement for utilizing the ActiveDirectoy module for PowerShell. You will need to change this setting on each Active Directory Domain Controllers to avoid hit is miss scenario’s or you will need to make sure you always run these types or queries against the same Domain Controllers.

On the Domain Controller navigate to the file C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config
Below the tag: <appSettings>, place this entry (first check if it is already present):

In the above example I have used 25000 however you can adjust accordingly. But you should take note that: This setting can affect the memory consumption of the ADWS service
And also take note that there is still a 5 minute timeout imposed on all your requests. If you cannot retrieve the information in 5 minutes, the request will fail. Changing to from 5.000 to 25.000 I didn’t notice any performance impact but this might vary per environment so be sure to test this first for you specific situation.

Save the config file and restart the ADWS Service on the Domain Controller.

Repeat this on all your Domain Controllers.

I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me:

• 
• 
•