Count of users in AD groups

Hi Experts

My environment is AD 2003 functional level.

I have a bunch of AD groups (Global security groups, Universal sec groups, DL's etc) that I want to find out the following for;

a) Number of users within that group
b) List of users within that group [nice to have]

An example name of group is $file-london-hr.

I've read some previous posts on EE regarding Quest Powershell, but for some reason if I use the following command to get a count, I get nothing;

Get-QADGroup -Identity "$file-london-hr" | Get-QADGroupMember | measure-object

[Using on a Global Security group]

Does anyone know any straightfoward DSGet commands I can use to get the count, or alternatively know what is wrong with my Powershell command?

Any help would be much appreciated.
Who is Participating?
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Hi :)

This is all you really need:

(Get-QADGroupMember "$file-london-hr").Count

Although do be aware that you may experience problems with that for very very large groups (thousands of members).

bluntTonyConnect With a Mentor Commented:
To list the members, you can use DSGET:
dsget group "<DN of group>" -members
To count the objects in a group, I'm sure there's many other ways, but you could use the below VBScript. Save as vbs and call via cscript from command prompt, e.g.
cscript countobjects.vbs /dn:"<DN OF GROUP>"
If you need to differentiate between different object types (contact/users etc,) - see here :

groupDN = WScript.Arguments.Named("dn")
Set objGroup = GetObject("LDAP://"&groupDN)
i = 0
For Each strUser in objGroup.Member
    i = i + 1
Wscript.Echo "Total members in the group: " & i

Open in new window

Chris DentPowerShell DeveloperCommented:
Hmm actually, I think you might be running into a slightly more complex issue. The group name you're using:


Contains a reserved character, the $ which indicates that it is a variable (despite it being in quotes). You would need to escape that value using `:

(Get-QADGroupMember "`$file-london-hr").Count

After which both .Count and Measure-Object should return correct results.

Alternatively, quote it using a single quote instead of a double quote:

Get-QADGroupMember '$file-london-hr' | Measure-Object

A proven path to a career in data science

At Springboard, we know how to get you a job in data science. With Springboard’s Data Science Career Track, you’ll master data science  with a curriculum built by industry experts. You’ll work on real projects, and get 1-on-1 mentorship from a data scientist.

bruce_77Author Commented:

I tried Chris's suggestion in Quest, but get the following error;

Get-QADGroupMember : Cannot resolve DN for the given identity: '--london-hr'

If I try the same command on another group, with a different name (without the $) then it seems to work. From testing, it seems that whenever there is a $ in the group name, I get this error above.

I've checked the DN of the group using ADSIEdit, and it is "$file-london-hr", so I'm guessing Quest doesn't like the $ in the string...any way around this?
Chris DentPowerShell DeveloperCommented:

Yeah, for the reason above. $<Name> indicates it is a variable (as far as PowerShell is concerned), it tries to expand the variable into it's value and then it will execute the command.

For instance, if you had:

$Name = "Domain Admins"

You would get a count of members in that group if you were to run:

(Get-QADGroupMember "$Name").Count

Using the ` to escape the meaning of $, or using single quotes will circumvent that issue.

bruce_77Author Commented:
LOL, sorry - I was writing my last comment when you had just posted yours :)

I tried again using single quotes and it works fine, many thanks Chris - appreciate your help.

Just one point - you mention that Quest may have issues with very large groups (thousands of members). Do you know what the problem is? Is there a specific group size over which this happens and is there any workaround?

The tool itself looks really good...
Chris DentPowerShell DeveloperCommented:

I haven't tested the lower boundary, but groups of over 5000 members may be difficult.

There's also a problem with legacy group members which is worth considering due to a limitation in large attribute replication. Again, 5000 is the limit for that one, and filed under Linked Value Replication and generally not a problem if a domain was built using Windows 2003 (and that functional level).

And yep, there's a work around. Instead of pulling membership, execute a query for the members.

e.g. This:

Get-QADUser -LdapFilter "(memberOf=CN=thegroup,OU=somewhere,DC=domain,DC=com)"

Instead of:

Get-QADGroupMember "thegroup"


(Get-QADGroup "thegroup").members

The results can be measured or counted in the same way as above. I'm sure it'll be fixed in the next release (if that hasn't already happened).

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.