In this guide, I’ll show you how to get members from large Active Directory groups using PowerShell.
By default, the Get-ADGroupMember cmdlet has a limit of 5,000 members, If the group has over 5,000 members you will get the error below.
“Get-ADGroupMember: The size limit for this request was exceeded”.
Reason For the size limit Error
The Get-ADGroupMember limit is restricted by the Active Directory Web Services which has a default limit of 5,000 objects. You can modify a config file to change the 5,000 limits but it does require restarting the Active Directory Web Services. Below I’ll show you have few different options to work around the large group limitations.
Solution 1 – Use the Get-ADGroup cmdlet
You can use the Get-ADGroup cmdlet to list group members and it does not have the 5,000 object limit.
In the example below, I’m getting the members of the group “all_users”. This group has 7,000+ members.
Get-ADGroup "all_users" -Properties Member | select -ExpandProperty member
To get the count of members in the group use this command.
((Get-ADGroup "all_users" -Properties Member).Member).Count
To get the group members and include user properties you will need to pipe it to the get-aduser cmdlet.
(Get-ADGroup "all_users" -Properties Member).Member | Get-ADUser | select name, userprincipalname, enabled, givenname, surname
Solution 2 – Use the AD Pro Toolkit
The AD Pro Toolkit makes it easy to list the members of large groups, it does not have size limitations. You can run the report on a single group, multiple groups or the entire domain.
Step 1. Open the Toolkit
The AD Pro Toolkit includes hundreds of AD Reports and multiple tools. You can try it for free by downloading a free trial.
Step 2. Click on Reports > Group Members Reports
Click on the Group members report, click browse to select an OU or click search to select a single group. You can also click run to run the report for the entire domain.
You can customize the report by clicking on Columns and the add or remove the columns that you need. You can also export the report by clicking the export button.
Solution 3 – Edit the ADWS (Active Directory Web Services) Config File
Step 1. Sign in to your Domain Controller
Step 2. Open the Web Service Config File
Using notepad open the following file
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config
Step 3. Copy the below text.
<!--Specifies the maximum number of group members (recursive or non-recursive), group memberships, and authorization groups that can be retrieved by the Active Directory module Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup cmdlets. Set this parameter to a higher value if you anticipate these cmdlets to return more than 5000 results in your environment.-->
<add key="MaxGroupOrMemberEntries" value="10000"/>
The above will change the group member limit to 10,000. You can change this to a higher number if needed.
Paste the text into the config file.
Save the file and reset the Active Directory Web Services service.
You can restart the service with the command below.
Restart-Service -Name ADWS
Step 4. Test the Get-ADGroupMember cmdlet
You should now be able to query groups larger that 5,000 objects. You can see below the Get-ADGroupMember cmdlet now works with groups bigger than 5,000.
Conclusion
In this article, I showed you three different solutions for dealing with the Get-ADGroupMember size limit of 5,000 objects. You can use the Get-ADGroup cmdlet, modify the MaxGroupOrMemberEntries parameter in the ADWS config file or use a 3rd party tool such as the AD Pro Toolkit. The one drawback to modifying the ADWS config file is that you need to restart the ADWS service.
You might also like copy AD Group Membership from one user to another.