If you are trying to get the members of a large group using Get-ADGroupMember, you will surely be encountered with the error below.
Get-ADGroupMember : The size limit for this request was exceeded. The full error message is as shown below.
Get-ADGroupMember : The size limit for this request was exceeded At line:1 char:1 + Get-ADGroupMember -Identity "Group_Name" | Select-Object Name + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (SG_Azure_A:ADGroup) [Get-ADGroupMember], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:8227,Microsoft.ActiveDirectory.Management. Commands.GetADGroupMember
Table of Contents
Reason For The Error
The number of objects that Get-ADGroupMember can return is restricted by a limit in the Active Directory Web Services. And the limit is 5,000 unless a different value is provided in the config file.
Hence if you try to get member information of a group which has more than 5,000 objects in it, the limit will be breached and PowerShell will spit an error notifying that the limit for the request was exceeded.
Ways To Fix The Error
There are two ways to fix the error. First one is to edit the config file which imposes the 5,000 limit and the second is to get the membership information in a different way.
Solution 1 – Edit The Config File
In order to edit the config file, login to the domain controller where you are running the command. If you are running from a different machine and have number of domain controllers in the same AD site, you need to use the ‘Server’ parameter along with the command (unless you edit the config file on all domain controllers).
Navigate to C:\Windows\ADWS & open the Microsoft.ActiveDirectory.WebServices.exe.config file using Notepad.
Add the below block to the file with the value of your choice.
<!--Specifies the maximum number of group members (recursive or non-recursive), group memberships, and authorization groups that can be retrieved by the Active Directory module Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup cmdlets. Set this parameter to a higher value if you anticipate these cmdlets to return more than 5000 results in your environment.--> <add key="MaxGroupOrMemberEntries" value="50000"/>
Save the file and restart the Active Directory Web Services service.
Now the Get-ADGroupMember will work fine.
I have a group named “UK Team” that has 6,000 numbers in it & the command works fine.
Solution 2 – Use Get-ADGroup
If you don’t want to edit the config file, then you can use Get-ADGroup (which does not have any limit) to get the same result.
Run the command below to get the group members using Get-ADGroup
Get-ADGroup "UK Team" -Properties Member | select -ExpandProperty member
Expand the command to include the properties you are interested in as below.
Get-ADGroup "UK Team" -Properties Member | select -ExpandProperty member | Get-ADObject | Select Name
Another variation to get more output about the members is given below.
(Get-ADGroup "UK Team" -Properties Member).Member | Get-ADUser | select name, userprincipalname, enabled, samaccountname
You can export the information to a csv by further expanding the command.
(Get-ADGroup "UK Team" -Properties Member).Member | Get-ADUser | select name, userprincipalname, enabled, samaccountname | export-csv .\GroupMembers.csv
Run the command below if you want to count the number of members in the group.
((Get-ADGroup "UK Team" -Properties Member).Member).Count
You can use the command below to get the count if it is a very large group, as it takes less time.
@(Get-ADGroup "UK Team" -Properties Member | Select-Object -ExpandProperty Member).count
Please let me know if you have any questions in the comments section.