Solved

Count of users in AD groups

Posted on 2009-04-01
7
1,258 Views
Last Modified: 2013-12-24
Hi Experts

My environment is AD 2003 functional level.

I have a bunch of AD groups (Global security groups, Universal sec groups, DL's etc) that I want to find out the following for;

a) Number of users within that group
b) List of users within that group [nice to have]

An example name of group is $file-london-hr.

I've read some previous posts on EE regarding Quest Powershell, but for some reason if I use the following command to get a count, I get nothing;

Get-QADGroup -Identity "$file-london-hr" | Get-QADGroupMember | measure-object

[Using on a Global Security group]

Does anyone know any straightfoward DSGet commands I can use to get the count, or alternatively know what is wrong with my Powershell command?

Any help would be much appreciated.
0
Comment
Question by:bruce_77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 400 total points
ID: 24037972

Hi :)

This is all you really need:

(Get-QADGroupMember "$file-london-hr").Count

Although do be aware that you may experience problems with that for very very large groups (thousands of members).

Chris
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 100 total points
ID: 24037989
To list the members, you can use DSGET:
dsget group "<DN of group>" -members
To count the objects in a group, I'm sure there's many other ways, but you could use the below VBScript. Save as vbs and call via cscript from command prompt, e.g.
cscript countobjects.vbs /dn:"<DN OF GROUP>"
If you need to differentiate between different object types (contact/users etc,) - see here : http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept07/hey0919.mspx

groupDN = WScript.Arguments.Named("dn")
Set objGroup = GetObject("LDAP://"&groupDN)
i = 0
For Each strUser in objGroup.Member
    i = i + 1
Next
Wscript.Echo "Total members in the group: " & i

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24038063
Hmm actually, I think you might be running into a slightly more complex issue. The group name you're using:

$file-london-hr

Contains a reserved character, the $ which indicates that it is a variable (despite it being in quotes). You would need to escape that value using `:

(Get-QADGroupMember "`$file-london-hr").Count

After which both .Count and Measure-Object should return correct results.

Alternatively, quote it using a single quote instead of a double quote:

Get-QADGroupMember '$file-london-hr' | Measure-Object

Chris
0
Do you have a plan for Continuity?

It's inevitable. People leave organizations creating a gap in your service. That's where Percona comes in.

See how Pepper.com relies on Percona to:
-Manage their database
-Guarantee data safety and protection
-Provide database expertise that is available for any situation

 
LVL 2

Author Comment

by:bruce_77
ID: 24038070
Thanks

I tried Chris's suggestion in Quest, but get the following error;

Get-QADGroupMember : Cannot resolve DN for the given identity: '--london-hr'

If I try the same command on another group, with a different name (without the $) then it seems to work. From testing, it seems that whenever there is a $ in the group name, I get this error above.

I've checked the DN of the group using ADSIEdit, and it is "$file-london-hr", so I'm guessing Quest doesn't like the $ in the string...any way around this?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24038096

Yeah, for the reason above. $<Name> indicates it is a variable (as far as PowerShell is concerned), it tries to expand the variable into it's value and then it will execute the command.

For instance, if you had:

$Name = "Domain Admins"

You would get a count of members in that group if you were to run:

(Get-QADGroupMember "$Name").Count

Using the ` to escape the meaning of $, or using single quotes will circumvent that issue.

Chris
0
 
LVL 2

Author Comment

by:bruce_77
ID: 24038109
LOL, sorry - I was writing my last comment when you had just posted yours :)

I tried again using single quotes and it works fine, many thanks Chris - appreciate your help.

Just one point - you mention that Quest may have issues with very large groups (thousands of members). Do you know what the problem is? Is there a specific group size over which this happens and is there any workaround?

The tool itself looks really good...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24038173

I haven't tested the lower boundary, but groups of over 5000 members may be difficult.

There's also a problem with legacy group members which is worth considering due to a limitation in large attribute replication. Again, 5000 is the limit for that one, and filed under Linked Value Replication and generally not a problem if a domain was built using Windows 2003 (and that functional level).

And yep, there's a work around. Instead of pulling membership, execute a query for the members.

e.g. This:

Get-QADUser -LdapFilter "(memberOf=CN=thegroup,OU=somewhere,DC=domain,DC=com)"

Instead of:

Get-QADGroupMember "thegroup"

Or:

(Get-QADGroup "thegroup").members

The results can be measured or counted in the same way as above. I'm sure it'll be fixed in the next release (if that hasn't already happened).

Chris
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question