PowerShell and AD Groups over 5000 Members

I work in a Hybrid Environment which means that I deal in both Azure AD and on-premises Active Directory. A major hassle that I have never gotten a real good answer that makes any sense is the restriction on groups having more than 5,000 members. I always see “For Windows 2000 Active Directory environments” in the answer. Aren’t we in 2020 with 2019 DC’s? Why is this still an issue with the AD database? We have many groups with more than 5,000 members, it’s a fact of life in a larger AD environment unless you want groups named Finance1, Finance2, Finance3, etc. for a group that has 10 to 15k members.

This creates a major issue when you are trying to pull the members of a group for a task with PowerShell. It’s possible, but the code is different and there are way too many different ways to do it. I’ve found one method that I feel does a real good job, and is not too complicated. It’s a work around in my mind, but here it is for anyone that needs it for AD on-premises.

<# This script gets members in a group above 5,000 members. Depending on the domain you need to change the -Server Parameter to a DC in the domain the users are in #>
$group = ‘My Group Name’
$server = “My ADDS Domain Controller in appropriate domain”
<# this is a one liner that spacing word wrap’s #>
(Get-ADGroup $group -properties members -Server $server).members | Get-ADUser -properties SamAccountName -Server $server | Select-Object SamAccountName | Export-Csv C:\Temp\MyFileName.csv -NoTypeInformation -Append

This basically gets the AD group I specify looking at the property members and dot sources that member. It passes that information to get the AD User with the property SamAccountName also on the same domain controller. I pass that through to Select just the SamAccountName so I can then Export it to a CSV in my “temp” folder. Of course you can specify whatever you want the output to be, DisplayName, etc. In my case I’m just looking for the SamAccountName.

There are many different ways to do this. Please take this as just a helper, something to try, modify, make better. Make it into a function so that it can be placed into a module, whatever you like. It suits me for what I need, but if you really wanted to you could make the $group and $server into a Read-Host to type the information in has you run the script in it’s simplest form. This is my way of passing it along like a lot of people have done for me. “Be the Master”

1 thought on “PowerShell and AD Groups over 5000 Members

  1. Sean O

    Groups can contain all sorts of objects (users, groups, computers, Foreign Security Principal, etc) in the members property. Get-ADObject might be something to consider. Also you may want to consider how to handle cross-domain objects.

    Food for thought, why does Get-ADGroupMember error out when a group contains a Fsp?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.