bruce_77
asked on
Count of users in AD groups
Hi Experts
My environment is AD 2003 functional level.
I have a bunch of AD groups (Global security groups, Universal sec groups, DL's etc) that I want to find out the following for;
a) Number of users within that group
b) List of users within that group [nice to have]
An example name of group is $file-london-hr.
I've read some previous posts on EE regarding Quest Powershell, but for some reason if I use the following command to get a count, I get nothing;
Get-QADGroup -Identity "$file-london-hr" | Get-QADGroupMember | measure-object
[Using on a Global Security group]
Does anyone know any straightfoward DSGet commands I can use to get the count, or alternatively know what is wrong with my Powershell command?
Any help would be much appreciated.
My environment is AD 2003 functional level.
I have a bunch of AD groups (Global security groups, Universal sec groups, DL's etc) that I want to find out the following for;
a) Number of users within that group
b) List of users within that group [nice to have]
An example name of group is $file-london-hr.
I've read some previous posts on EE regarding Quest Powershell, but for some reason if I use the following command to get a count, I get nothing;
Get-QADGroup -Identity "$file-london-hr" | Get-QADGroupMember | measure-object
[Using on a Global Security group]
Does anyone know any straightfoward DSGet commands I can use to get the count, or alternatively know what is wrong with my Powershell command?
Any help would be much appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
I tried Chris's suggestion in Quest, but get the following error;
Get-QADGroupMember : Cannot resolve DN for the given identity: '--london-hr'
If I try the same command on another group, with a different name (without the $) then it seems to work. From testing, it seems that whenever there is a $ in the group name, I get this error above.
I've checked the DN of the group using ADSIEdit, and it is "$file-london-hr", so I'm guessing Quest doesn't like the $ in the string...any way around this?
I tried Chris's suggestion in Quest, but get the following error;
Get-QADGroupMember : Cannot resolve DN for the given identity: '--london-hr'
If I try the same command on another group, with a different name (without the $) then it seems to work. From testing, it seems that whenever there is a $ in the group name, I get this error above.
I've checked the DN of the group using ADSIEdit, and it is "$file-london-hr", so I'm guessing Quest doesn't like the $ in the string...any way around this?
Yeah, for the reason above. $<Name> indicates it is a variable (as far as PowerShell is concerned), it tries to expand the variable into it's value and then it will execute the command.
For instance, if you had:
$Name = "Domain Admins"
You would get a count of members in that group if you were to run:
(Get-QADGroupMember "$Name").Count
Using the ` to escape the meaning of $, or using single quotes will circumvent that issue.
Chris
ASKER
LOL, sorry - I was writing my last comment when you had just posted yours :)
I tried again using single quotes and it works fine, many thanks Chris - appreciate your help.
Just one point - you mention that Quest may have issues with very large groups (thousands of members). Do you know what the problem is? Is there a specific group size over which this happens and is there any workaround?
The tool itself looks really good...
I tried again using single quotes and it works fine, many thanks Chris - appreciate your help.
Just one point - you mention that Quest may have issues with very large groups (thousands of members). Do you know what the problem is? Is there a specific group size over which this happens and is there any workaround?
The tool itself looks really good...
I haven't tested the lower boundary, but groups of over 5000 members may be difficult.
There's also a problem with legacy group members which is worth considering due to a limitation in large attribute replication. Again, 5000 is the limit for that one, and filed under Linked Value Replication and generally not a problem if a domain was built using Windows 2003 (and that functional level).
And yep, there's a work around. Instead of pulling membership, execute a query for the members.
e.g. This:
Get-QADUser -LdapFilter "(memberOf=CN=thegroup,OU=
Instead of:
Get-QADGroupMember "thegroup"
Or:
(Get-QADGroup "thegroup").members
The results can be measured or counted in the same way as above. I'm sure it'll be fixed in the next release (if that hasn't already happened).
Chris
$file-london-hr
Contains a reserved character, the $ which indicates that it is a variable (despite it being in quotes). You would need to escape that value using `:
(Get-QADGroupMember "`$file-london-hr").Count
After which both .Count and Measure-Object should return correct results.
Alternatively, quote it using a single quote instead of a double quote:
Get-QADGroupMember '$file-london-hr' | Measure-Object
Chris