Link to home
Start Free TrialLog in
Avatar of REIT
REIT

asked on

Powershell - Export AD Group Members Limit Exceeded

Hi Guys,

I have the following script which gets the members of each group I have in a csv, it then creates a separate csv of each group and exports this for me. Because we have quite a few domains in our AD Forest, it's configured with cross domain checking.

The trouble I'm having is a few of the groups have quite a lot of members in and when the script runs, the groups with a high number of members fails with "Request limit has been exceeded"

#Ensure the CSV has a column with the header 'GroupName'

$domains = (Get-ADForest).domains
$GroupList = Import-CSV C:\Temp\GroupsToExport.csv

foreach ($groupname in $GroupList.Groupname) {
    $Members = foreach ($domain in $domains) {
        $Group = Get-ADGroup -Filter { Name -like $groupname } -Server $domain 
        $Group | Get-ADGroupMember -Server $domain -Recursive | Get-ADUser -Properties * -Server domain.co.uk:3268 | Select Name, UserPrincipalName
    }
    $Members | Export-CSV "C:\Temp\$groupname.csv" -NTI
}

Open in new window


Can someone help me resolve this?
Avatar of oBdA
oBdA
"High" is 5000 members or more.
Try it like this:
#Ensure the CSV has a column with the header 'GroupName'

$domains = (Get-ADForest).domains
$GroupList = Import-Csv -Path C:\Temp\GroupsToExport.csv

Function Get-ADGroupMemberRecursive($Identity, $Server) {
	Get-ADGroup -Identity $Identity -Property Member -Server $Server |
		Select-Object -ExpandProperty Member |
		Get-ADObject -Property Name, UserPrincipalName, SamAccountName -Server $Server |
		ForEach-Object {
			If ($_.objectClass -eq 'group') {
				Get-ADGroupMemberRecursive -Identity $_ -Server $Server
			} Else {
				$_
			}
		}
}

ForEach ($groupname in $GroupList.Groupname) {
	$domains | ForEach-Object {
		Get-ADGroupMemberRecursive -Identity $groupname -Server $_ |
			Select-Object -Property Name, UserPrincipalName, SamAccountName, DistinguishedName
    } | Export-CSV "C:\Temp\$($groupname).csv" -NoTypeInformation
}

Open in new window


Edit: Fixed server name
Avatar of REIT
REIT

ASKER

Ok ran it, got the following error
"Get-ADGroup : Cannot validate argument on parameter 'Server'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At line:7 char:59
+ ...    Get-ADGroup -Identity $Identity -Property Member -Server $Server |
+                                                                 ~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-ADGroup], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADGroup"
Avatar of oBdA
oBdA
Sorry, fixed above; just download again.
Avatar of REIT
REIT

ASKER

We're getting closer.... this error appears for loads of users

Get-ADObject : Cannot find an object with identity: 'CN=SURNAME\, Firstname,OU=Users,DC=domain,DC=com' under: 'DC=forestroot,DC=co,DC=uk'.
At line:9 char:3
+         Get-ADObject -Property Name, UserPrincipalName, SamAccountNam ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (CN=SURNAME\, Firstname...domain,DC=com:ADObject) [Get-ADObject], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADObject
 
Avatar of oBdA
oBdA
So I guess you have cross-domain membership in at least part of these groups?
Avatar of REIT
REIT

ASKER

Correct 
Avatar of oBdA
oBdA
Can't test it at the moment, but try this:
#Ensure the CSV has a column with the header 'GroupName'

$domains = (Get-ADForest).domains
$GroupList = Import-Csv -Path C:\Temp\GroupsToExport.csv

Function Get-ADGroupMemberRecursive($Identity, $Server) {
	Get-ADGroup -Identity $Identity -Property Member -Server $Server |
		Select-Object -ExpandProperty Member |
		ForEach-Object {
			$domain = ($_ -split ',DC=', 2)[1] -replace ',DC=', '.'
			$adObject = Get-ADObject -Property Name, UserPrincipalName, SamAccountName -Server $domain
			If ($adObject.objectClass -eq 'group') {
				Get-ADGroupMemberRecursive -Identity $_ -Server $domain
			} Else {
				$adObject
			}
		}
}

ForEach ($groupname in $GroupList.Groupname) {
	$domains | ForEach-Object {
		Get-ADGroupMemberRecursive -Identity $groupname -Server $_ |
			Select-Object -Property Name, UserPrincipalName, SamAccountName, DistinguishedName
    } | Export-CSV "C:\Temp\$($groupname).csv" -NoTypeInformation
}

Open in new window

Avatar of REIT
REIT

ASKER

That failed also...

Error
Get-ADGroup : Cannot find an object with identity: 'Group1' under: 'DC=domain,DC=com'.
At line:5 char:2
+     Get-ADGroup -Identity $Identity -Property Member -Server $Server  ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Group1:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

Then it also does this
cmdlet Get-ADObject at command pipeline position 1
Supply values for the following parameters:
Filter:
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of REIT
REIT

ASKER

That worked! thankyou for your persistence!