[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Count of users in AD groups

Posted on 2009-04-01
7
Medium Priority
?
1,261 Views
Last Modified: 2013-12-24
Hi Experts

My environment is AD 2003 functional level.

I have a bunch of AD groups (Global security groups, Universal sec groups, DL's etc) that I want to find out the following for;

a) Number of users within that group
b) List of users within that group [nice to have]

An example name of group is $file-london-hr.

I've read some previous posts on EE regarding Quest Powershell, but for some reason if I use the following command to get a count, I get nothing;

Get-QADGroup -Identity "$file-london-hr" | Get-QADGroupMember | measure-object

[Using on a Global Security group]

Does anyone know any straightfoward DSGet commands I can use to get the count, or alternatively know what is wrong with my Powershell command?

Any help would be much appreciated.
0
Comment
Question by:bruce_77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1600 total points
ID: 24037972

Hi :)

This is all you really need:

(Get-QADGroupMember "$file-london-hr").Count

Although do be aware that you may experience problems with that for very very large groups (thousands of members).

Chris
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 400 total points
ID: 24037989
To list the members, you can use DSGET:
dsget group "<DN of group>" -members
To count the objects in a group, I'm sure there's many other ways, but you could use the below VBScript. Save as vbs and call via cscript from command prompt, e.g.
cscript countobjects.vbs /dn:"<DN OF GROUP>"
If you need to differentiate between different object types (contact/users etc,) - see here : http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept07/hey0919.mspx

groupDN = WScript.Arguments.Named("dn")
Set objGroup = GetObject("LDAP://"&groupDN)
i = 0
For Each strUser in objGroup.Member
    i = i + 1
Next
Wscript.Echo "Total members in the group: " & i

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24038063
Hmm actually, I think you might be running into a slightly more complex issue. The group name you're using:

$file-london-hr

Contains a reserved character, the $ which indicates that it is a variable (despite it being in quotes). You would need to escape that value using `:

(Get-QADGroupMember "`$file-london-hr").Count

After which both .Count and Measure-Object should return correct results.

Alternatively, quote it using a single quote instead of a double quote:

Get-QADGroupMember '$file-london-hr' | Measure-Object

Chris
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 2

Author Comment

by:bruce_77
ID: 24038070
Thanks

I tried Chris's suggestion in Quest, but get the following error;

Get-QADGroupMember : Cannot resolve DN for the given identity: '--london-hr'

If I try the same command on another group, with a different name (without the $) then it seems to work. From testing, it seems that whenever there is a $ in the group name, I get this error above.

I've checked the DN of the group using ADSIEdit, and it is "$file-london-hr", so I'm guessing Quest doesn't like the $ in the string...any way around this?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24038096

Yeah, for the reason above. $<Name> indicates it is a variable (as far as PowerShell is concerned), it tries to expand the variable into it's value and then it will execute the command.

For instance, if you had:

$Name = "Domain Admins"

You would get a count of members in that group if you were to run:

(Get-QADGroupMember "$Name").Count

Using the ` to escape the meaning of $, or using single quotes will circumvent that issue.

Chris
0
 
LVL 2

Author Comment

by:bruce_77
ID: 24038109
LOL, sorry - I was writing my last comment when you had just posted yours :)

I tried again using single quotes and it works fine, many thanks Chris - appreciate your help.

Just one point - you mention that Quest may have issues with very large groups (thousands of members). Do you know what the problem is? Is there a specific group size over which this happens and is there any workaround?

The tool itself looks really good...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24038173

I haven't tested the lower boundary, but groups of over 5000 members may be difficult.

There's also a problem with legacy group members which is worth considering due to a limitation in large attribute replication. Again, 5000 is the limit for that one, and filed under Linked Value Replication and generally not a problem if a domain was built using Windows 2003 (and that functional level).

And yep, there's a work around. Instead of pulling membership, execute a query for the members.

e.g. This:

Get-QADUser -LdapFilter "(memberOf=CN=thegroup,OU=somewhere,DC=domain,DC=com)"

Instead of:

Get-QADGroupMember "thegroup"

Or:

(Get-QADGroup "thegroup").members

The results can be measured or counted in the same way as above. I'm sure it'll be fixed in the next release (if that hasn't already happened).

Chris
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
Instead of error trapping or hard-coding for non-updateable fields when using QODBC, let VBA automatically disable them when forms open. This way, users can view but not change the data. Part 1 explained how to use schema tables to do this. Part 2 h…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question