Enumerating group membership & ADSI

05-30-2007

Hi,

Can anyone tell me how to enumerate the members of an AD group using
Powershell?

It seems that the ADSI features are still quite limited so I'm wondering if
there is a quick way to do this.

Thanks in advance.

CrazyKiwi

05-30-2007

The easiest way to do it is if you can use the Quest AD cmdlets and use
Get-QADGroupMember from here
http://www.quest.com/activeroles-server/arms.aspx

if you need to do it with code then

$group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org"
foreach ($member in $group.member)
{
$member
}
--
Richard Siddaway
Please note that all scripts are supplied "as is" and with no warranty
Blog: http://richardsiddaway.spaces.live.com/
PowerShell User Group: http://www.get-psuguk.org.uk

"CrazyKiwi" wrote:

> Hi,
>
> Can anyone tell me how to enumerate the members of an AD group using
> Powershell?
>
> It seems that the ADSI features are still quite limited so I'm wondering if
> there is a quick way to do this.
>
> Thanks in advance.
>
> CrazyKiwi

07-04-2007

G'day,
Tried the suggested code however it only shows the first 1000 members. We
have some groups with much larger memberships. Any idea how to address this?

Thanks,

ColinH

"RichS" wrote:

> The easiest way to do it is if you can use the Quest AD cmdlets and use
> Get-QADGroupMember from here
> http://www.quest.com/activeroles-server/arms.aspx
>
> if you need to do it with code then
>
> $group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org"
> foreach ($member in $group.member)
> {
> $member
> }
> --
> Richard Siddaway
> Please note that all scripts are supplied "as is" and with no warranty
> Blog: http://richardsiddaway.spaces.live.com/
> PowerShell User Group: http://www.get-psuguk.org.uk
>
>
> "CrazyKiwi" wrote:
>
> > Hi,
> >
> > Can anyone tell me how to enumerate the members of an AD group using
> > Powershell?
> >
> > It seems that the ADSI features are still quite limited so I'm wondering if
> > there is a quick way to do this.
> >
> > Thanks in advance.
> >
> > CrazyKiwi

07-04-2007

There may be other ways (using third party CmdLets) but the way I know
should work although does require another few lines of code

$group = [adsi]"LDAP://<yourDN>"
$groupSearcher = New-Object DirectoryServices.DirectorySearcher($group)
$groupSearcher.PageSize = 1000
$results = $groupSearcher.FindOne()
$results.properties.item("member")
<list of all members>

The issue is with the page size set on the Domain Controllers. It's
quite common to set it to 1000 to improve general query performance.
When that happens we have to adjust our code to be pagesize aware.

Hope that helps

n

On 2007-07-04 07:44:00 +0100, ColinH <ColinH@discussions.microsoft.com> said:

> G'day,
> Tried the suggested code however it only shows the first 1000 members.
> We have some groups with much larger memberships. Any idea how to
> address this?
>
> Thanks,
>
> ColinH
>
> "RichS" wrote:
>
>> The easiest way to do it is if you can use the Quest AD cmdlets and use
>> Get-QADGroupMember from here
>> http://www.quest.com/activeroles-server/arms.aspx
>>
>> if you need to do it with code then
>> $group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org"
>> foreach ($member in $group.member)
>> {
>> $member
>> }
>> --
>> Richard Siddaway
>> Please note that all scripts are supplied "as is" and with no warranty
>> Blog: http://richardsiddaway.spaces.live.com/
>> PowerShell User Group: http://www.get-psuguk.org.uk
>>
>>
>> "CrazyKiwi" wrote:
>>
>>> Hi,
>>>
>>> Can anyone tell me how to enumerate the members of an AD group using
>>> Powershell?
>>>
>>> It seems that the ADSI features are still quite limited so I'm
>>> wondering if there is a quick way to do this.
>>>
>>> Thanks in advance.
>>>
>>> CrazyKiwi

07-04-2007

Neil,
Thanks for your reply however it didn't address the issue. When run the
property member = {} and instead the property member:range=0-999 contains the
first 1000 members {cn=..,cn=..,...}

$results.properties.item("member") produced no list
$results.properties.item("member;range=0-999") produced a list of 1000 members

Any ideas?
Regards,

ColinH

"Neil Chambers" wrote:

> There may be other ways (using third party CmdLets) but the way I know
> should work although does require another few lines of code
>
> $group = [adsi]"LDAP://<yourDN>"
> $groupSearcher = New-Object DirectoryServices.DirectorySearcher($group)
> $groupSearcher.PageSize = 1000
> $results = $groupSearcher.FindOne()
> $results.properties.item("member")
> <list of all members>
>
> The issue is with the page size set on the Domain Controllers. It's
> quite common to set it to 1000 to improve general query performance.
> When that happens we have to adjust our code to be pagesize aware.
>
> Hope that helps
>
> n
>
> On 2007-07-04 07:44:00 +0100, ColinH <ColinH@discussions.microsoft.com> said:
>
> > G'day,
> > Tried the suggested code however it only shows the first 1000 members.
> > We have some groups with much larger memberships. Any idea how to
> > address this?
> >
> > Thanks,
> >
> > ColinH
> >
> > "RichS" wrote:
> >
> >> The easiest way to do it is if you can use the Quest AD cmdlets and use
> >> Get-QADGroupMember from here
> >> http://www.quest.com/activeroles-server/arms.aspx
> >>
> >> if you need to do it with code then
> >> $group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org"
> >> foreach ($member in $group.member)
> >> {
> >> $member
> >> }
> >> --
> >> Richard Siddaway
> >> Please note that all scripts are supplied "as is" and with no warranty
> >> Blog: http://richardsiddaway.spaces.live.com/
> >> PowerShell User Group: http://www.get-psuguk.org.uk
> >>
> >>
> >> "CrazyKiwi" wrote:
> >>
> >>> Hi,
> >>>
> >>> Can anyone tell me how to enumerate the members of an AD group using
> >>> Powershell?
> >>>
> >>> It seems that the ADSI features are still quite limited so I'm
> >>> wondering if there is a quick way to do this.
> >>>
> >>> Thanks in advance.
> >>>
> >>> CrazyKiwi
>
>
>

07-05-2007

On Wed, 4 Jul 2007 19:40:00 -0700, ColinH
<ColinH@discussions.microsoft.com> wrote:

>Neil,
>Thanks for your reply however it didn't address the issue. When run the
>property member = {} and instead the property member:range=0-999 contains the
>first 1000 members {cn=..,cn=..,...}
>
>$results.properties.item("member") produced no list
>$results.properties.item("member;range=0-999") produced a list of 1000 members
>
>Any ideas?
>Regards,
>
>ColinH
>

Maybe take a look at the following pages:

Enumerating Groups That Contain Many Members
http://msdn2.microsoft.com/en-us/library/ms676302.aspx

Enumerating Members in a Large Group
http://msdn2.microsoft.com/en-us/library/ms180907.aspx

Searching Using Range Retrieval
http://msdn2.microsoft.com/en-us/library/aa367017.aspx

Attribute Range Retrieval
http://msdn2.microsoft.com/en-us/library/aa772308.aspx

HTH
Chris

07-05-2007

On 5 Jul, 10:01, Chris Warwick <n...@remove.this.bit.nuney.com> wrote:
> On Wed, 4 Jul 2007 19:40:00 -0700, ColinH
>
> <Col...@discussions.microsoft.com> wrote:
> >Neil,
> >Thanks for your reply however it didn't address the issue. When run the
> >property member = {} and instead the property member:range=0-999 contains the
> >first 1000 members {cn=..,cn=..,...}
>
> >$results.properties.item("member") produced no list
> >$results.properties.item("member;range=0-999") produced a list of 1000 members
>
> >Any ideas?
> >Regards,
>
> >ColinH
>
> Maybe take a look at the following pages:
>
> Enumerating Groups That Contain Many Membershttp://msdn2.microsoft.com/en-us/library/ms676302.aspx
>
> Enumerating Members in a Large Grouphttp://msdn2.microsoft.com/en-us/library/ms180907.aspx
>
> Searching Using Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa367017.aspx
>
> Attribute Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa772308.aspx
>
> HTH
> Chris

I have also some more information and examples in PowerShell on my old
blog here :

http://mow001.blogspot.com/2006/04/l...-in-monad.html

Greetings /\/\o\/\/
http://thePowerShellGuy.com

07-05-2007

G'day,

Thanks to you both for your quick response. I used range retrieval to
return the results. I am using PowerShell to clean up a nasty four-way
x-domain / x-forest migration. Looking forward to the next PS release.

Regards,

ColinH

"to.mow@home.nl" wrote:

> On 5 Jul, 10:01, Chris Warwick <n...@remove.this.bit.nuney.com> wrote:
> > On Wed, 4 Jul 2007 19:40:00 -0700, ColinH
> >
> > <Col...@discussions.microsoft.com> wrote:
> > >Neil,
> > >Thanks for your reply however it didn't address the issue. When run the
> > >property member = {} and instead the property member:range=0-999 contains the
> > >first 1000 members {cn=..,cn=..,...}
> >
> > >$results.properties.item("member") produced no list
> > >$results.properties.item("member;range=0-999") produced a list of 1000 members
> >
> > >Any ideas?
> > >Regards,
> >
> > >ColinH
> >
> > Maybe take a look at the following pages:
> >
> > Enumerating Groups That Contain Many Membershttp://msdn2.microsoft.com/en-us/library/ms676302.aspx
> >
> > Enumerating Members in a Large Grouphttp://msdn2.microsoft.com/en-us/library/ms180907.aspx
> >
> > Searching Using Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa367017.aspx
> >
> > Attribute Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa772308.aspx
> >
> > HTH
> > Chris
>
> I have also some more information and examples in PowerShell on my old
> blog here :
>
> http://mow001.blogspot.com/2006/04/l...-in-monad.html
>
> Greetings /\/\o\/\/
> http://thePowerShellGuy.com
>
>

05-30-2007	#1 (permalink)
CrazyKiwi Guest	Enumerating group membership & ADSI Hi, Can anyone tell me how to enumerate the members of an AD group using Powershell? It seems that the ADSI features are still quite limited so I'm wondering if there is a quick way to do this. Thanks in advance. CrazyKiwi

05-30-2007	#2 (permalink)
RichS Guest	RE: Enumerating group membership & ADSI The easiest way to do it is if you can use the Quest AD cmdlets and use Get-QADGroupMember from here http://www.quest.com/activeroles-server/arms.aspx if you need to do it with code then $group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org" foreach ($member in $group.member) { $member } -- Richard Siddaway Please note that all scripts are supplied "as is" and with no warranty Blog: http://richardsiddaway.spaces.live.com/ PowerShell User Group: http://www.get-psuguk.org.uk "CrazyKiwi" wrote: > Hi, > > Can anyone tell me how to enumerate the members of an AD group using > Powershell? > > It seems that the ADSI features are still quite limited so I'm wondering if > there is a quick way to do this. > > Thanks in advance. > > CrazyKiwi

07-04-2007	#3 (permalink)
ColinH Guest	RE: Enumerating group membership & ADSI G'day, Tried the suggested code however it only shows the first 1000 members. We have some groups with much larger memberships. Any idea how to address this? Thanks, ColinH "RichS" wrote: > The easiest way to do it is if you can use the Quest AD cmdlets and use > Get-QADGroupMember from here > http://www.quest.com/activeroles-server/arms.aspx > > if you need to do it with code then > > $group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org" > foreach ($member in $group.member) > { > $member > } > -- > Richard Siddaway > Please note that all scripts are supplied "as is" and with no warranty > Blog: http://richardsiddaway.spaces.live.com/ > PowerShell User Group: http://www.get-psuguk.org.uk > > > "CrazyKiwi" wrote: > > > Hi, > > > > Can anyone tell me how to enumerate the members of an AD group using > > Powershell? > > > > It seems that the ADSI features are still quite limited so I'm wondering if > > there is a quick way to do this. > > > > Thanks in advance. > > > > CrazyKiwi

07-04-2007	#4 (permalink)
Neil Chambers Guest	Re: Enumerating group membership & ADSI There may be other ways (using third party CmdLets) but the way I know should work although does require another few lines of code $group = [adsi]"LDAP://<yourDN>" $groupSearcher = New-Object DirectoryServices.DirectorySearcher($group) $groupSearcher.PageSize = 1000 $results = $groupSearcher.FindOne() $results.properties.item("member") <list of all members> The issue is with the page size set on the Domain Controllers. It's quite common to set it to 1000 to improve general query performance. When that happens we have to adjust our code to be pagesize aware. Hope that helps n On 2007-07-04 07:44:00 +0100, ColinH <ColinH@discussions.microsoft.com> said: > G'day, > Tried the suggested code however it only shows the first 1000 members. > We have some groups with much larger memberships. Any idea how to > address this? > > Thanks, > > ColinH > > "RichS" wrote: > >> The easiest way to do it is if you can use the Quest AD cmdlets and use >> Get-QADGroupMember from here >> http://www.quest.com/activeroles-server/arms.aspx >> >> if you need to do it with code then >> $group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org" >> foreach ($member in $group.member) >> { >> $member >> } >> -- >> Richard Siddaway >> Please note that all scripts are supplied "as is" and with no warranty >> Blog: http://richardsiddaway.spaces.live.com/ >> PowerShell User Group: http://www.get-psuguk.org.uk >> >> >> "CrazyKiwi" wrote: >> >>> Hi, >>> >>> Can anyone tell me how to enumerate the members of an AD group using >>> Powershell? >>> >>> It seems that the ADSI features are still quite limited so I'm >>> wondering if there is a quick way to do this. >>> >>> Thanks in advance. >>> >>> CrazyKiwi

07-04-2007	#5 (permalink)
ColinH Guest	Re: Enumerating group membership & ADSI Neil, Thanks for your reply however it didn't address the issue. When run the property member = {} and instead the property member:range=0-999 contains the first 1000 members {cn=..,cn=..,...} $results.properties.item("member") produced no list $results.properties.item("member;range=0-999") produced a list of 1000 members Any ideas? Regards, ColinH "Neil Chambers" wrote: > There may be other ways (using third party CmdLets) but the way I know > should work although does require another few lines of code > > $group = [adsi]"LDAP://<yourDN>" > $groupSearcher = New-Object DirectoryServices.DirectorySearcher($group) > $groupSearcher.PageSize = 1000 > $results = $groupSearcher.FindOne() > $results.properties.item("member") > <list of all members> > > The issue is with the page size set on the Domain Controllers. It's > quite common to set it to 1000 to improve general query performance. > When that happens we have to adjust our code to be pagesize aware. > > Hope that helps > > n > > On 2007-07-04 07:44:00 +0100, ColinH <ColinH@discussions.microsoft.com> said: > > > G'day, > > Tried the suggested code however it only shows the first 1000 members. > > We have some groups with much larger memberships. Any idea how to > > address this? > > > > Thanks, > > > > ColinH > > > > "RichS" wrote: > > > >> The easiest way to do it is if you can use the Quest AD cmdlets and use > >> Get-QADGroupMember from here > >> http://www.quest.com/activeroles-server/arms.aspx > >> > >> if you need to do it with code then > >> $group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org" > >> foreach ($member in $group.member) > >> { > >> $member > >> } > >> -- > >> Richard Siddaway > >> Please note that all scripts are supplied "as is" and with no warranty > >> Blog: http://richardsiddaway.spaces.live.com/ > >> PowerShell User Group: http://www.get-psuguk.org.uk > >> > >> > >> "CrazyKiwi" wrote: > >> > >>> Hi, > >>> > >>> Can anyone tell me how to enumerate the members of an AD group using > >>> Powershell? > >>> > >>> It seems that the ADSI features are still quite limited so I'm > >>> wondering if there is a quick way to do this. > >>> > >>> Thanks in advance. > >>> > >>> CrazyKiwi > > >

07-05-2007	#6 (permalink)
Chris Warwick Guest	Re: Enumerating group membership & ADSI On Wed, 4 Jul 2007 19:40:00 -0700, ColinH <ColinH@discussions.microsoft.com> wrote: >Neil, >Thanks for your reply however it didn't address the issue. When run the >property member = {} and instead the property member:range=0-999 contains the >first 1000 members {cn=..,cn=..,...} > >$results.properties.item("member") produced no list >$results.properties.item("member;range=0-999") produced a list of 1000 members > >Any ideas? >Regards, > >ColinH > Maybe take a look at the following pages: Enumerating Groups That Contain Many Members http://msdn2.microsoft.com/en-us/library/ms676302.aspx Enumerating Members in a Large Group http://msdn2.microsoft.com/en-us/library/ms180907.aspx Searching Using Range Retrieval http://msdn2.microsoft.com/en-us/library/aa367017.aspx Attribute Range Retrieval http://msdn2.microsoft.com/en-us/library/aa772308.aspx HTH Chris

07-05-2007	#7 (permalink)
to.mow@home.nl Guest	Re: Enumerating group membership & ADSI On 5 Jul, 10:01, Chris Warwick <n...@remove.this.bit.nuney.com> wrote: > On Wed, 4 Jul 2007 19:40:00 -0700, ColinH > > <Col...@discussions.microsoft.com> wrote: > >Neil, > >Thanks for your reply however it didn't address the issue. When run the > >property member = {} and instead the property member:range=0-999 contains the > >first 1000 members {cn=..,cn=..,...} > > >$results.properties.item("member") produced no list > >$results.properties.item("member;range=0-999") produced a list of 1000 members > > >Any ideas? > >Regards, > > >ColinH > > Maybe take a look at the following pages: > > Enumerating Groups That Contain Many Membershttp://msdn2.microsoft.com/en-us/library/ms676302.aspx > > Enumerating Members in a Large Grouphttp://msdn2.microsoft.com/en-us/library/ms180907.aspx > > Searching Using Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa367017.aspx > > Attribute Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa772308.aspx > > HTH > Chris I have also some more information and examples in PowerShell on my old blog here : http://mow001.blogspot.com/2006/04/l...-in-monad.html Greetings /\/\o\/\/ http://thePowerShellGuy.com

07-05-2007	#8 (permalink)
ColinH Guest	Re: Enumerating group membership & ADSI G'day, Thanks to you both for your quick response. I used range retrieval to return the results. I am using PowerShell to clean up a nasty four-way x-domain / x-forest migration. Looking forward to the next PS release. Regards, ColinH "to.mow@home.nl" wrote: > On 5 Jul, 10:01, Chris Warwick <n...@remove.this.bit.nuney.com> wrote: > > On Wed, 4 Jul 2007 19:40:00 -0700, ColinH > > > > <Col...@discussions.microsoft.com> wrote: > > >Neil, > > >Thanks for your reply however it didn't address the issue. When run the > > >property member = {} and instead the property member:range=0-999 contains the > > >first 1000 members {cn=..,cn=..,...} > > > > >$results.properties.item("member") produced no list > > >$results.properties.item("member;range=0-999") produced a list of 1000 members > > > > >Any ideas? > > >Regards, > > > > >ColinH > > > > Maybe take a look at the following pages: > > > > Enumerating Groups That Contain Many Membershttp://msdn2.microsoft.com/en-us/library/ms676302.aspx > > > > Enumerating Members in a Large Grouphttp://msdn2.microsoft.com/en-us/library/ms180907.aspx > > > > Searching Using Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa367017.aspx > > > > Attribute Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa772308.aspx > > > > HTH > > Chris > > I have also some more information and examples in PowerShell on my old > blog here : > > http://mow001.blogspot.com/2006/04/l...-in-monad.html > > Greetings /\/\o\/\/ > http://thePowerShellGuy.com > >

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Get group membership	David Arro	PowerShell	2	6 Days Ago 10:47 AM
Enumerating user's universal groups membership from ANOTHER DOMAIN	Claude Lachapelle	VB Script	2	07-10-2008 08:51 AM
Group Membership	Don D	Vista mail	0	09-15-2007 09:31 AM
ADSI and group membership - what am I doing wrong	Neil Chambers	PowerShell	5	07-14-2007 04:36 AM
Enumerating local group membership with Powershell	Janssen	PowerShell	4	07-05-2007 07:16 PM