Count of users in AD groups

Hi Experts

My environment is AD 2003 functional level.

I have a bunch of AD groups (Global security groups, Universal sec groups, DL's etc) that I want to find out the following for;

a) Number of users within that group
b) List of users within that group [nice to have]

An example name of group is $file-london-hr.

I've read some previous posts on EE regarding Quest Powershell, but for some reason if I use the following command to get a count, I get nothing;

Get-QADGroup -Identity "$file-london-hr" | Get-QADGroupMember | measure-object

[Using on a Global Security group]

Does anyone know any straightfoward DSGet commands I can use to get the count, or alternatively know what is wrong with my Powershell command?

Any help would be much appreciated.
LVL 2
bruce_77Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Chris DentPowerShell DeveloperCommented:

Hi :)

This is all you really need:

(Get-QADGroupMember "$file-london-hr").Count

Although do be aware that you may experience problems with that for very very large groups (thousands of members).

Chris
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
bluntTonyHead of ICTCommented:
To list the members, you can use DSGET:
dsget group "<DN of group>" -members
To count the objects in a group, I'm sure there's many other ways, but you could use the below VBScript. Save as vbs and call via cscript from command prompt, e.g.
cscript countobjects.vbs /dn:"<DN OF GROUP>"
If you need to differentiate between different object types (contact/users etc,) - see here : http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept07/hey0919.mspx

groupDN = WScript.Arguments.Named("dn")
Set objGroup = GetObject("LDAP://"&groupDN)
i = 0
For Each strUser in objGroup.Member
    i = i + 1
Next
Wscript.Echo "Total members in the group: " & i

Open in new window

0
 
Chris DentPowerShell DeveloperCommented:
Hmm actually, I think you might be running into a slightly more complex issue. The group name you're using:

$file-london-hr

Contains a reserved character, the $ which indicates that it is a variable (despite it being in quotes). You would need to escape that value using `:

(Get-QADGroupMember "`$file-london-hr").Count

After which both .Count and Measure-Object should return correct results.

Alternatively, quote it using a single quote instead of a double quote:

Get-QADGroupMember '$file-london-hr' | Measure-Object

Chris
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
bruce_77Author Commented:
Thanks

I tried Chris's suggestion in Quest, but get the following error;

Get-QADGroupMember : Cannot resolve DN for the given identity: '--london-hr'

If I try the same command on another group, with a different name (without the $) then it seems to work. From testing, it seems that whenever there is a $ in the group name, I get this error above.

I've checked the DN of the group using ADSIEdit, and it is "$file-london-hr", so I'm guessing Quest doesn't like the $ in the string...any way around this?
0
 
Chris DentPowerShell DeveloperCommented:

Yeah, for the reason above. $<Name> indicates it is a variable (as far as PowerShell is concerned), it tries to expand the variable into it's value and then it will execute the command.

For instance, if you had:

$Name = "Domain Admins"

You would get a count of members in that group if you were to run:

(Get-QADGroupMember "$Name").Count

Using the ` to escape the meaning of $, or using single quotes will circumvent that issue.

Chris
0
 
bruce_77Author Commented:
LOL, sorry - I was writing my last comment when you had just posted yours :)

I tried again using single quotes and it works fine, many thanks Chris - appreciate your help.

Just one point - you mention that Quest may have issues with very large groups (thousands of members). Do you know what the problem is? Is there a specific group size over which this happens and is there any workaround?

The tool itself looks really good...
0
 
Chris DentPowerShell DeveloperCommented:

I haven't tested the lower boundary, but groups of over 5000 members may be difficult.

There's also a problem with legacy group members which is worth considering due to a limitation in large attribute replication. Again, 5000 is the limit for that one, and filed under Linked Value Replication and generally not a problem if a domain was built using Windows 2003 (and that functional level).

And yep, there's a work around. Instead of pulling membership, execute a query for the members.

e.g. This:

Get-QADUser -LdapFilter "(memberOf=CN=thegroup,OU=somewhere,DC=domain,DC=com)"

Instead of:

Get-QADGroupMember "thegroup"

Or:

(Get-QADGroup "thegroup").members

The results can be measured or counted in the same way as above. I'm sure it'll be fixed in the next release (if that hasn't already happened).

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.