Get Members of Large AD Groups (5,000+)

by Robert Allen

In this guide, I’ll show you how to get members from large Active Directory groups using PowerShell.

By default, the Get-ADGroupMember cmdlet has a limit of 5,000 members, If the group has over 5,000 members you will get the error below.

“Get-ADGroupMember: The size limit for this request was exceeded”.

Get-ADGroupMember: The size limit for this request was exceeded

Reason For the size limit Error

The Get-ADGroupMember limit is restricted by the Active Directory Web Services which has a default limit of 5,000 objects. You can modify a config file to change the 5,000 limits but it does require restarting the Active Directory Web Services. Below I’ll show you have few different options to work around the large group limitations.

Solution 1 – Use the Get-ADGroup cmdlet

You can use the Get-ADGroup cmdlet to list group members and it does not have the 5,000 object limit.

In the example below, I’m getting the members of the group “all_users”. This group has 7,000+ members.

Get-ADGroup "all_users" -Properties Member | select -ExpandProperty member

To get the count of members in the group use this command.

((Get-ADGroup "all_users" -Properties Member).Member).Count
get-adgroup members over 5000 objects

To get the group members and include user properties you will need to pipe it to the get-aduser cmdlet.

(Get-ADGroup "all_users" -Properties Member).Member | Get-ADUser | select name, userprincipalname, enabled, givenname, surname
get-adgroup with detail members

Solution 2 – Use the AD Pro Toolkit

The AD Pro Toolkit makes it easy to list the members of large groups, it does not have size limitations. You can run the report on a single group, multiple groups or the entire domain.

Step 1. Open the Toolkit

The AD Pro Toolkit includes hundreds of AD Reports and multiple tools. You can try it for free by downloading a free trial.

Download 14 day Free Trial

Step 2. Click on Reports > Group Members Reports

Click on the Group members report, click browse to select an OU or click search to select a single group. You can also click run to run the report for the entire domain.

ad toolkit get group members

You can customize the report by clicking on Columns and the add or remove the columns that you need. You can also export the report by clicking the export button.

toolkit export report

Solution 3 – Edit the ADWS (Active Directory Web Services) Config File

Step 1. Sign in to your Domain Controller

Step 2. Open the Web Service Config File

Using notepad open the following file

C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config

modify ad web service config file

Step 3. Copy the below text.

<!--Specifies the maximum number of group members (recursive or non-recursive), group memberships, and authorization groups that can be retrieved by the Active Directory module Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup cmdlets. Set this parameter to a higher value if you anticipate these cmdlets to return more than 5000 results in your environment.-->

<add key="MaxGroupOrMemberEntries" value="10000"/>

The above will change the group member limit to 10,000. You can change this to a higher number if needed.

Paste the text into the config file.

web service config file notepad

Save the file and reset the Active Directory Web Services service.

You can restart the service with the command below.

Restart-Service -Name ADWS

Step 4. Test the Get-ADGroupMember cmdlet

You should now be able to query groups larger that 5,000 objects. You can see below the Get-ADGroupMember cmdlet now works with groups bigger than 5,000.

get-adgroupmember over 5000 member example

Conclusion

In this article, I showed you three different solutions for dealing with the Get-ADGroupMember size limit of 5,000 objects. You can use the Get-ADGroup cmdlet, modify the MaxGroupOrMemberEntries parameter in the ADWS config file or use a 3rd party tool such as the AD Pro Toolkit. The one drawback to modifying the ADWS config file is that you need to restart the ADWS service.

You might also like copy AD Group Membership from one user to another.

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

Leave a Comment