ADWS Default Limit

in

A little hiccup that seems to keep coming up for people I talk to and work with is the default limit of 5000 objects returned by Active Directory Web Services for three key commands - Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup. While an error is thrown - these commands are in fact not broken. It's all down to a setting in a configuration file on the active directory server that limits the number of results to 5000. One option is to increase the number of results returned in the configuration file. While this is a possibility, Microsoft makes some specific call outs on their technet page (here)

Note:This setting can affect the memory consumption of the ADWS service

Well that isn't too good. But it only gets worse:

Note: If your operation returns an exceptionally large results set, you might run into a non-configurable 5-minute timeout.

Also, the configuration file needs to be updated on every single domain controller. If this is not updated, your command could hit a server that won't return the increased number of results.

Not only is this a issue to get a timeout with large set of results the fact that there is a non-configurable timeout is even worse. This makes it unreliable for specific environments where a group may have a large number of objects as members of a group.

In order to retrieve membership of groups with this many members a reliable method is to revert back to using ADSI to query Active Directory. There are other methods to use, but this has been the most reliable method that I have used in the past few years.

[reflection.assembly]::LoadWithPartialName("System.DirectoryServices")

$group = [adsi]"LDAP://CN=Test-Group,OU=Groups,DC=Contosco,DC=Com"

$group.psbase.invoke("Members") |  ForEach-Object {$_.GetType().InvokeMember("distinguishedname","GetProperty",$null,$_,$null)} | `
ForEach-Object{
    try{
        get-aduser $_ -errorAction stop | select-object samaccountname
    }
    catch{
        "Could not find item $_" | write-verbose
    }
}

Using this method, it is possible to get more than 5000 members of a group without having to update the configuration file, and with all of the returned items from the ADSI call, it is then possible to call get-aduser (or get-adcomputer,etc) to get the expected AD object to use in other scripts which expect an AD object.