Count of users in AD group

Hey dude :)

Going to push PowerShell on you again :)

(Get-QADGroupMember "The Group").Count

Or just members if you do:

Get-QADGroupMember "The Group"

Chris

Hi Chris!

I'm actually using Powershell!! :)

We seem to have a problematic DL. Powershell is giving me a count of members, I just want to verify its correct by checking with another LDAP querier! :)

Ah ha :-D

DSQuery?

DSQuery group -Name "The Group" | DSGet group -members -expand

Chris

Wow, you are the king of LDAP :)

So this will give me just the count or will it export it out somewhere?

The DSQuery / DSGet command above will just drop a few lines to the console. Redirecting it to a text file will give you an easy place to count (line count if you do View / Status Bar).

DSQuery group -Name "The Group" | DSGet group -members -expand > GroupMembers.txt

There is one other thing that might be worth mentioning.

Universal Distribution Groups will not list all of their membership when you query the a standard Domain Controller. Instead you have to direct the query at a Global Catalog.

Might not be your issue, but I'm off home now so I figured it was worth mentioning ;)

In PowerShell that's:

(Get-QADGroupMember "The Group" -UseGlobalCatalog).Count

It's a bit more difficult with DSQuery, but something like this would do it:

DSQuery * ForestRoot -GC -Filter "(memberOf=CN=The Group,OU=somewhere,DC=kam,DC=uk)"

Where ForestRoot is actually an option in DSQuery rather than something you have to change. However, it does need the full DN of the group or it won't find anything.

Chris

don't forget about adfind :)

http://www.joeware.net/freetools/tools/adfind/index.htm 
adfind -sc g:GROUPNAME member > c:\member.txt
You could import file into excel.  
Thanks
Mike

I did have one more thought while I was on the train...

If you have a large group and you're trying to get the membership you might be bumping into a few more of the more obscure issues. How big is the group? Where big is typically more than 1500 members.

Chris

Hi

The group is about 5000 odd?

How inaccurate is the count you're getting?

I'll make a few thousand users on my domain here and see if I can see any discrepancies.

Chris

Well, the other LDAP tools I tried are returning the exact value - PS is giving me about 3500.

I see from their support forum that this maybe a bug in the current version :(

There's probably a way around it...

Search for the members instead of counting them on the attribute. It's a bit more hard work, but still possible.

For example:

(Get-QADUser -LdapFilter "(memberOf=$((Get-QADGroup 'The Group').DN))").Count

Note the use of single quotes in the middle there, it'll get upset if we don't use those.

Although it doesn't help us much if there's a bug... mine has just created 3900 users, 1100 to go, I'll verify it in a moment :)

Chris

Lots of fun... So in mine...

Get-QADGroupMember "TheGroup" -SizeLimit 20000

Returns a maximum of 1000, and ignores any attempt to raise the limit over 1000.

(Get-QADGroup "TheGroup").Member.Count

Doesn't return anything at all (for large groups).

Fortunately this one does work:

(Get-QADUser -SizeLimit 20000 -LdapFilter "(&(objectCategory=person)(memberOf=$((Get-QADGroup 'TheGroup').DN)))").Count

If a little slowly... the trouble with broadly scoped searches on large domains...

DSQuery also works as follows:

(dsquery group -name "TheGroup" | dsget group -members -expand).Count

Although you have to do a -1 there because it's a bit of a rough way, relying on an implicit conversion of the returned lines to an array.

In summary, we need Dimitry to fix Quest's components. MS's cmdlets aren't going to be around for quite a long time and any of the simpler methods (vbscript, System.DirectoryServices) are flawed for large groups except using the same LDAP search as above.

Ho hum...

Chris

good post chris!!

Thanks Chris!

For Quest, I try the following command;

(get-qaduser -sizelimit 20000 -ldapfilter "(&(objectcategory=person)(memberOf=$((get-qadgroup 'Group 1').DN)))").count

But I get this error?

Get-QADUser : The (&(&(objectcategory=person)(memberOf=))(objectClass=*)(objectClass=user)) search filter is invalid.
At line:1 char:13
+ (get-qaduser  <<<< -sizelimit 20000 -ldapfilter "(&(objectcategory=person)(memberOf=$((get-qadgroup 'Group 1').DN))
)").count

And DS query;

(dsquery group -name "Group 1" | dsget group -members -expand).count

.count was unexpected at this time.

Do I need to enter the Distinguished name when using DSget?

Sorry to be a pain :(

<cough>Legacy Groups</cough>

@Chris,

You are correct. Legacy groups are groups with some or all members that are not LVR'd. Once the functionality level is upped only new members are LVR'd.

You can use this to check
http://bsonposh.com/archives/530

I have seen this cause issues with scripts... just something to look at.

Hmm I did have a look at that last night when you posted.

The group I'd created, and all associated users, were created in a 2008 Native Mode domain. I ran ADFind against it with the flag in that for reporting on those and it seemed quite happy with the group.

Might have another go tonight, it's possible my Vista installation was unhappy with the Quest tools :)

Chris

understand... this can only act qwerky if you were in a domain in pre 2003 mode

Your mentioning it made me read up on the limits a bit (which was interesting) so I can appreciate the point and why it might be pertinent here :)

It might be worth testing that for the group in the original question anyway considering it's size.

Chris

Many thanks - really appreciate your help ;)

I require some assistance to convert legacy groups to LVR groups. I am using a powershell command but when i run this script a message displays
"dsmod failed:"group name": directory object not found

but when i execute the simple command within CMD the group converts without issues

any assistance is greatly appriciated

Probably failing to correctly parse part of the command. Can you paste exactly what you're typing here?

Chris