Working in a larger Active Directory environment I occasionally got the error:
1 |
Get-ADGroupMember : The size limit for this request was exceeded |
When trying to read all the members (recursively) of an AD Group.
This was annoying since in the alternatives are limited especially when using the -recursive option.
You could try with:
1 |
DSGET group -members | dsget user -samid |
or
1 |
Get-ADGroup -properties Member | select-object -expandproperty member |
However these don’t have the recursive option.
And why look for an alternative since you have the Get-ADGroupMember option it just seems to be limited. Which in all fairness is a good safety precaution, because you don’t want to accidentally run a command with 5 million results.
The default limit is 5.000 objects. And this is a limit from the Active Directory Web Service. This limit only applies to these three cmdlets:
1 |
Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup |
ADWS is a requirement for utilizing the ActiveDirectoy module for PowerShell. You will need to change this setting on each Active Directory Domain Controllers to avoid hit is miss scenario’s or you will need to make sure you always run these types or queries against the same Domain Controllers.
On the Domain Controller navigate to the file C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config
Below the tag: <appSettings>, place this entry (first check if it is already present):
1 |
<add key="MaxGroupOrMemberEntries" value="25000" /> |
In the above example I have used 25000 however you can adjust accordingly. But you should take note that: This setting can affect the memory consumption of the ADWS service
And also take note that there is still a 5 minute timeout imposed on all your requests. If you cannot retrieve the information in 5 minutes, the request will fail. Changing to from 5.000 to 25.000 I didn’t notice any performance impact but this might vary per environment so be sure to test this first for you specific situation.
Save the config file and restart the ADWS Service on the Domain Controller.
1 |
net stop adwssvr && net start adwssrv |
Repeat this on all your Domain Controllers.
Pingback: Dynamic AD Security groups – xanderbikbergen.com