Solved

Count of users in AD groups

Posted on 2009-04-01
7
1,255 Views
Last Modified: 2013-12-24
Hi Experts

My environment is AD 2003 functional level.

I have a bunch of AD groups (Global security groups, Universal sec groups, DL's etc) that I want to find out the following for;

a) Number of users within that group
b) List of users within that group [nice to have]

An example name of group is $file-london-hr.

I've read some previous posts on EE regarding Quest Powershell, but for some reason if I use the following command to get a count, I get nothing;

Get-QADGroup -Identity "$file-london-hr" | Get-QADGroupMember | measure-object

[Using on a Global Security group]

Does anyone know any straightfoward DSGet commands I can use to get the count, or alternatively know what is wrong with my Powershell command?

Any help would be much appreciated.
0
Comment
Question by:bruce_77
  • 4
  • 2
7 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 400 total points
ID: 24037972

Hi :)

This is all you really need:

(Get-QADGroupMember "$file-london-hr").Count

Although do be aware that you may experience problems with that for very very large groups (thousands of members).

Chris
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 100 total points
ID: 24037989
To list the members, you can use DSGET:
dsget group "<DN of group>" -members
To count the objects in a group, I'm sure there's many other ways, but you could use the below VBScript. Save as vbs and call via cscript from command prompt, e.g.
cscript countobjects.vbs /dn:"<DN OF GROUP>"
If you need to differentiate between different object types (contact/users etc,) - see here : http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept07/hey0919.mspx

groupDN = WScript.Arguments.Named("dn")
Set objGroup = GetObject("LDAP://"&groupDN)
i = 0
For Each strUser in objGroup.Member
    i = i + 1
Next
Wscript.Echo "Total members in the group: " & i

Open in new window

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24038063
Hmm actually, I think you might be running into a slightly more complex issue. The group name you're using:

$file-london-hr

Contains a reserved character, the $ which indicates that it is a variable (despite it being in quotes). You would need to escape that value using `:

(Get-QADGroupMember "`$file-london-hr").Count

After which both .Count and Measure-Object should return correct results.

Alternatively, quote it using a single quote instead of a double quote:

Get-QADGroupMember '$file-london-hr' | Measure-Object

Chris
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 2

Author Comment

by:bruce_77
ID: 24038070
Thanks

I tried Chris's suggestion in Quest, but get the following error;

Get-QADGroupMember : Cannot resolve DN for the given identity: '--london-hr'

If I try the same command on another group, with a different name (without the $) then it seems to work. From testing, it seems that whenever there is a $ in the group name, I get this error above.

I've checked the DN of the group using ADSIEdit, and it is "$file-london-hr", so I'm guessing Quest doesn't like the $ in the string...any way around this?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24038096

Yeah, for the reason above. $<Name> indicates it is a variable (as far as PowerShell is concerned), it tries to expand the variable into it's value and then it will execute the command.

For instance, if you had:

$Name = "Domain Admins"

You would get a count of members in that group if you were to run:

(Get-QADGroupMember "$Name").Count

Using the ` to escape the meaning of $, or using single quotes will circumvent that issue.

Chris
0
 
LVL 2

Author Comment

by:bruce_77
ID: 24038109
LOL, sorry - I was writing my last comment when you had just posted yours :)

I tried again using single quotes and it works fine, many thanks Chris - appreciate your help.

Just one point - you mention that Quest may have issues with very large groups (thousands of members). Do you know what the problem is? Is there a specific group size over which this happens and is there any workaround?

The tool itself looks really good...
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24038173

I haven't tested the lower boundary, but groups of over 5000 members may be difficult.

There's also a problem with legacy group members which is worth considering due to a limitation in large attribute replication. Again, 5000 is the limit for that one, and filed under Linked Value Replication and generally not a problem if a domain was built using Windows 2003 (and that functional level).

And yep, there's a work around. Instead of pulling membership, execute a query for the members.

e.g. This:

Get-QADUser -LdapFilter "(memberOf=CN=thegroup,OU=somewhere,DC=domain,DC=com)"

Instead of:

Get-QADGroupMember "thegroup"

Or:

(Get-QADGroup "thegroup").members

The results can be measured or counted in the same way as above. I'm sure it'll be fixed in the next release (if that hasn't already happened).

Chris
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WriteBack Attribute permission on domain level 13 69
Event 4625 - Account Name: _ 3 27
exchange, active directory 4 25
Domain administrator account is locked out 31 56
Resolve DNS query failed errors for Exchange
As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question