REIT
asked on
Powershell - Export AD Group Members Limit Exceeded
Hi Guys,
I have the following script which gets the members of each group I have in a csv, it then creates a separate csv of each group and exports this for me. Because we have quite a few domains in our AD Forest, it's configured with cross domain checking.
The trouble I'm having is a few of the groups have quite a lot of members in and when the script runs, the groups with a high number of members fails with "Request limit has been exceeded"
Can someone help me resolve this?
I have the following script which gets the members of each group I have in a csv, it then creates a separate csv of each group and exports this for me. Because we have quite a few domains in our AD Forest, it's configured with cross domain checking.
The trouble I'm having is a few of the groups have quite a lot of members in and when the script runs, the groups with a high number of members fails with "Request limit has been exceeded"
#Ensure the CSV has a column with the header 'GroupName'
$domains = (Get-ADForest).domains
$GroupList = Import-CSV C:\Temp\GroupsToExport.csv
foreach ($groupname in $GroupList.Groupname) {
$Members = foreach ($domain in $domains) {
$Group = Get-ADGroup -Filter { Name -like $groupname } -Server $domain
$Group | Get-ADGroupMember -Server $domain -Recursive | Get-ADUser -Properties * -Server domain.co.uk:3268 | Select Name, UserPrincipalName
}
$Members | Export-CSV "C:\Temp\$groupname.csv" -NTI
}
Can someone help me resolve this?
ASKER
Ok ran it, got the following error
"Get-ADGroup : Cannot validate argument on parameter 'Server'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At line:7 char:59
+ ... Get-ADGroup -Identity $Identity -Property Member -Server $Server |
+ ~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-ADGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADGroup"
"Get-ADGroup : Cannot validate argument on parameter 'Server'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At line:7 char:59
+ ... Get-ADGroup -Identity $Identity -Property Member -Server $Server |
+ ~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-ADGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADGroup"
Sorry, fixed above; just download again.
ASKER
We're getting closer.... this error appears for loads of users
Get-ADObject : Cannot find an object with identity: 'CN=SURNAME\, Firstname,OU=Users,DC=domain,DC=com' under: 'DC=forestroot,DC=co,DC=uk'.
At line:9 char:3
+ Get-ADObject -Property Name, UserPrincipalName, SamAccountNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (CN=SURNAME\, Firstname...domain,DC=com:ADObject) [Get-ADObject], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADObject
Get-ADObject : Cannot find an object with identity: 'CN=SURNAME\, Firstname,OU=Users,DC=domain,DC=com' under: 'DC=forestroot,DC=co,DC=uk'.
At line:9 char:3
+ Get-ADObject -Property Name, UserPrincipalName, SamAccountNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (CN=SURNAME\, Firstname...domain,DC=com:ADObject) [Get-ADObject], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADObject
So I guess you have cross-domain membership in at least part of these groups?
ASKER
Correct
Can't test it at the moment, but try this:
#Ensure the CSV has a column with the header 'GroupName'
$domains = (Get-ADForest).domains
$GroupList = Import-Csv -Path C:\Temp\GroupsToExport.csv
Function Get-ADGroupMemberRecursive($Identity, $Server) {
Get-ADGroup -Identity $Identity -Property Member -Server $Server |
Select-Object -ExpandProperty Member |
ForEach-Object {
$domain = ($_ -split ',DC=', 2)[1] -replace ',DC=', '.'
$adObject = Get-ADObject -Property Name, UserPrincipalName, SamAccountName -Server $domain
If ($adObject.objectClass -eq 'group') {
Get-ADGroupMemberRecursive -Identity $_ -Server $domain
} Else {
$adObject
}
}
}
ForEach ($groupname in $GroupList.Groupname) {
$domains | ForEach-Object {
Get-ADGroupMemberRecursive -Identity $groupname -Server $_ |
Select-Object -Property Name, UserPrincipalName, SamAccountName, DistinguishedName
} | Export-CSV "C:\Temp\$($groupname).csv" -NoTypeInformation
}
ASKER
That failed also...
Error
Get-ADGroup : Cannot find an object with identity: 'Group1' under: 'DC=domain,DC=com'.
At line:5 char:2
+ Get-ADGroup -Identity $Identity -Property Member -Server $Server ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Group1:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
Then it also does this
cmdlet Get-ADObject at command pipeline position 1
Supply values for the following parameters:
Filter:
Error
Get-ADGroup : Cannot find an object with identity: 'Group1' under: 'DC=domain,DC=com'.
At line:5 char:2
+ Get-ADGroup -Identity $Identity -Property Member -Server $Server ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Group1:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
Then it also does this
cmdlet Get-ADObject at command pipeline position 1
Supply values for the following parameters:
Filter:
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That worked! thankyou for your persistence!
Try it like this:
Open in new window
Edit: Fixed server name