The number of objects that Get-ADGroupMember can return is restricted by a limit in the ADWS (Active Directory Web Services):
MaxGroupOrMemberEntries5000
Specifies the maximum number of group members (recursive or non-recursive), group memberships, and authorization groups that can be retrieved by the Active Directory module
Get-ADGroupMember,Get-ADPrincipalGroupMembership, andGet-ADAccountAuthorizationGroupcmdlets. Set this parameter to a higher value if you anticipate these cmdlets to return more than 5000 results in your environment.
According to this thread you should be able to work around it by querying group objects and expanding their member property (if you can’t increase the limit on the service):
Get-ADGroup $group -Properties Member |
Select-Object -Expand Member |
Get-ADUser -Property Name, DisplayName
Beware, though, that this is likely to be slow, because you’ll be sending thousands of requests. It might be better to build a hashtable of all users:
$users = @{}
Get-ADUser -Filter '*' -Property Name, DisplayName | ForEach-Object {
$users[$_.DistinguishedName] = $_
}
so that you can look them up by their distinguished name:
Get-ADGroup $group -Properties Member |
Select-Object -Expand Member |
ForEach-Object { $users[$_] }
The Get-ADGroupMember cmdlet is excellent for getting the AD members from a group. However, this time you run the Get-ADGroupMember cmdlet and get the error: Get-ADGroupMember : The size limit for this request was exceeded. Why is this happening, and what is the solution for this error?
Table of contents
- Get-ADGroupMember : The size limit for this request was exceeded
- Maximum size limit Get-ADGroupMember is 5000
- Solutions to Get-ADGroupMember : The size limit for this request was exceeded
- Solution 1: Run Get-ADGroup cmdlet
- Solution 2: Change ADWS configuration parameter
- Conclusion
We have the AD group SG_Azure_A and like to get all the members of that group with PowerShell.
Run PowerShell as administrator and run the Get-ADGroupMember cmdlet to get all the members of the group SG_Azure_A.
PS C:> Get-ADGroupMember -Identity "SG_Azure_A" | Select-Object Name | Sort-Object NameAfter we run the above command, the output in PS shows the error:
Get-ADGroupMember : The size limit for this request was exceeded
At line:1 char:1
+ Get-ADGroupMember -Identity "SG_Azure_A" | Select-Object Name | Sort- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (SG_Azure_A:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8227,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMemberGet-ADGroupMember : The size limit for this request was exceeded
At line:1 char:1
Why do we get this error, and what is the solution for Get-ADGroupMember : The size limit for this request was exceeded?
Maximum size limit Get-ADGroupMember is 5000
The maximum number of group members to retrieve is 5000. So if there are more members in the group than the 5000 limit, the error: Get-ADGroupMember : The size limit for this request was exceeded will show up.
Let’s look at the next step on how to resolve this error.
Solutions to Get-ADGroupMember : The size limit for this request was exceeded
There are two solutions for the error Get-ADGroupMember : The size limit for this request was exceeded.
Solution 1: Run Get-ADGroup cmdlet
The Get-ADGroup cmdlet is different than the Get-ADGroupMember cmdlet. The advantage is that there is no limit to getting the group members.
Get the members of the group by distinguished names.
PS C:> Get-ADGroup 'SG_Azure_A' -Properties Member | Select-Object -ExpandProperty Member | SortGet the members of the group by name.
PS C:> Get-ADGroup "SG_Azure_A" -Properties Member | Select-Object -ExpandProperty Member | Get-ADObject | Select Name | Sort NameCount the members in the group.
PS C:> ((Get-ADGroup "SG_Azure_A" -Properties member).member).countExport the members of the group to CSV file.
In this example, it will export the results to the file exportmembers.csv in the C:temp directory.
PS C:> Get-ADGroup "SG_Azure_A" -Properties Member | Select-Object -ExpandProperty Member | Get-ADObject | Select Name | Sort Name | Export-Csv C:tempexportmembers.csv -Encoding UTF8 -NoTypeInformationThis is what the CSV file looks like.
Copy all the members from the source group to the target group.
PS C:> Add-ADGroupMember -Identity "SG_Azure_B" -Members (Get-ADGroup "SG_Azure_A" -Properties member).memberSolution 2: Change ADWS configuration parameter
The ADWS (Active Directory Web Services) provides a Web Service interface to instances of the directory service (AD DS and AD LDS) that are running locally on this server. If the service is stopped or disabled, client applications, such as Active Directory PowerShell, will not be able to access or manage any directory service instances that are running locally on the server.
The parameter that you need to add is MaxGroupOrMemberEntries, follow the below steps:
1. Sign in to the Domain Controllers.
2. Open the below file with Notepad.
C:WindowsADWSMicrosoft.ActiveDirectory.WebServices.exe.config
3. Copy the below text and key.
<!--Specifies the maximum number of group members (recursive or non-recursive), group memberships, and authorization
groups that can be retrieved by the Active Directory module Get-ADGroupMember, Get-ADPrincipalGroupMembership, and
Get-ADAccountAuthorizationGroup cmdlets. Set this parameter to a higher value if you anticipate these cmdlets to
return more than 5000 results in your environment.-->
<add key="MaxGroupOrMemberEntries" value="50000"/>The MaxGroupOrMemberEntries configuration parameter applies only to the three Active Directory module cmdlets: Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup.
4. Paste the text and key into the config file.
In this example, the value is set to 50000 (this will retrieve 50000 items).
5. Save the config file.
6. Run the command in PowerShell to restart the ADWS service.
PS C:> Restart-Service -Name ADWS7. Run the Get-ADGroupMember cmdlet to get the group members or copy members from one AD group to another.
PS C:> Get-ADGroupMember -Identity "SG_Azure_A" | Select-Object Name | Sort-Object NameThat’s it!
Read more: Export AD group members with PowerShell »
Conclusion
You learned why the error Get-ADGroupMember : The size limit for this request was exceeded appears. The solution to this problem is to use the Get-ADGroup cmdlet instead. Another method is to add the MaxGroupOrMemberEntries parameter in the ADWS config file. After that, you can run the Get-ADGroupMember cmdlet.
Did you enjoy this article? You may also like Compare AD group members with PowerShell. Don’t forget to follow us and share this article.
- Remove From My Forums
-
Question
-
Hello,
I run the following commands from the 2.0 Command line on a Domain Controller to list the members of a large group (thousands of members) and to count the number of objects (measure-object):
get-adgroupmember “mygroup”
get-adgroupmember “mygroup” | measure-object
Get-ADGroupMember : The size limit for this request was exceeded At line:1 char:18 + get-adgroupmember <<<< "mygroup" + CategoryInfo : NotSpecified: (mygroup:ADGroup) [Get-ADGroupMember], ADException + FullyQualifiedErrorId : The size limit for this request was exceeded,Microsoft.ActiveDirectory.Management.Comman ds.GetADGroupMemberWhat do I need to do to resolve this error? Thanks in advance.
Thanks for your help! SdeDot
Answers
-
This due to a limitation in AD web services see:
http://technet.microsoft.com/en-us/library/dd391908%28WS.10%29.aspx
The default limit is 5000 this can be adjusted in a config file but to keep things consistent you have to update that file on each DC.
Security
-
Proposed as answer by
Monday, September 10, 2012 4:56 PM
-
Marked as answer by
SdeDot
Saturday, April 26, 2014 2:43 AM
-
Proposed as answer by
Home » Get-ADGroupMember : The size limit for this request was exceeded
Querying members of an AD group with a huge number of users might be tricky.
1. Method for smaller groups
The easiest way of getting the members of a certain Active Directory group is by using the Get-ADGroupMember cmdlet as the following examples shows:
Get-ADGroupMember "VeryLargeGroup"
However if the number of members is exceeding 5000, sadly the command fails.
2. Method for large AD groups (over 5000 members)
If you need to query the members of bigger groups an easy workaround is querying the member property of the Get-ADGroup cmdlet. This time we try to get the member users of universal AD security group VeryLargeGroup:
I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
(Get-ADGroup "VeryLargeGroup" -Properties member).member
This returns all the members in an array, but by their distinguished names.
Here we need the names and SamAccountNames of the users so we amend the query a little bit
$members = (Get-ADGroup "VeryLargeGroup" -Properties member).member
$members | Foreach-Object {Get-ADUser $_} | Select name, samaccountname
Reader Interactions
- Remove From My Forums
-
Question
-
Get-ADGroupMember -identity “Applications” -recursive|
Where-Object {$_.distinguishedName -like “*OU=Apps,OU=Security*” }|
Select Name,SamAccountName |
Sort -Property Name |
Export-csv -path C:Members.csv -NoTypeInformationPurpose: I’m attempting to list users accounts who belong to a specific group but only those users from a specified OU.
The script above ran perfectly yesterday when I wrote it, producing exactly what I need. However, when I came into work today, and working in the same session of Powershell, I received the following:
Get-ADGroupMember : The size limit for this request was exceeded
At line:1 char:1I then closed the session and attempted to run this script again but keep receiving the same error. I don’t want to change the ADWS settings to extend the size, is there an alternative or some modification I can do to achieve the same result?
Please advise. Thanks.
Answers
-
Yes that’s one of the annoying limitations of AD cmdlets, which don’t seem to be very size friendly.
However, I’m able to list all 21,000 members of one of my groups using Get-ADObject:
$searchRoot = 'OU=Apps,OU=Security,DC=CONTOSO,DC=LOCAL' if ($groupDN = Get-ADGroup -Filter:{ name -eq 'MyGroup' } -ResultSetSize:1 | Select-Object -ExpandProperty 'DistinguishedName') { $ldapFilter = '(&(objectclass=user)(objectcategory=person)(memberof:1.2.840.113556.1.4.1941:={0}))' -f $groupDN Get-ADObject -LDAPFilter:$ldapFilter -SearchBase:$searchRoot -ResultSetSize:$null -ResultPageSize:1000 -Properties:@('samAccountName') | Select-Object 'Name', 'samAccountName' | Sort-Object -Property 'Name' | Export-Csv -Path:'C:Members.csv' -NoTypeInformation }This method bypasses the
MaxGroupOrMemberEntries limitation.-
Marked as answer by
Monday, July 29, 2013 4:02 PM
-
Marked as answer by
