Vista - Enumerating group membership & ADSI

Hi,

Can anyone tell me how to enumerate the members of an AD group using
Powershell?

It seems that the ADSI features are still quite limited so I'm wondering if
there is a quick way to do this.

Thanks in advance.

CrazyKiwi

The easiest way to do it is if you can use the Quest AD cmdlets and use
Get-QADGroupMember from here
http://www.quest.com/activeroles-server/arms.aspx

if you need to do it with code then

$group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org"
foreach ($member in $group.member)
{
$member
}
--
Richard Siddaway
Please note that all scripts are supplied "as is" and with no warranty
Blog: http://richardsiddaway.spaces.live.com/
PowerShell User Group: http://www.get-psuguk.org.uk


"CrazyKiwi" wrote:

> Hi,
>
> Can anyone tell me how to enumerate the members of an AD group using
> Powershell?
>
> It seems that the ADSI features are still quite limited so I'm wondering if
> there is a quick way to do this.
>
> Thanks in advance.
>
> CrazyKiwi

G'day,
Tried the suggested code however it only shows the first 1000 members. We
have some groups with much larger memberships. Any idea how to address this?

Thanks,

ColinH

"RichS" wrote:

> The easiest way to do it is if you can use the Quest AD cmdlets and use
> Get-QADGroupMember from here
> http://www.quest.com/activeroles-server/arms.aspx
>
> if you need to do it with code then
>
> $group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org"
> foreach ($member in $group.member)
> {
> $member
> }
> --
> Richard Siddaway
> Please note that all scripts are supplied "as is" and with no warranty
> Blog: http://richardsiddaway.spaces.live.com/
> PowerShell User Group: http://www.get-psuguk.org.uk
>
>
> "CrazyKiwi" wrote:
>
> > Hi,
> >
> > Can anyone tell me how to enumerate the members of an AD group using
> > Powershell?
> >
> > It seems that the ADSI features are still quite limited so I'm wondering if
> > there is a quick way to do this.
> >
> > Thanks in advance.
> >
> > CrazyKiwi

There may be other ways (using third party CmdLets) but the way I know
should work although does require another few lines of code

$group = [adsi]"LDAP://<yourDN>"
$groupSearcher = New-Object DirectoryServices.DirectorySearcher($group)
$groupSearcher.PageSize = 1000
$results = $groupSearcher.FindOne()
$results.properties.item("member")
<list of all members>

The issue is with the page size set on the Domain Controllers. It's
quite common to set it to 1000 to improve general query performance.
When that happens we have to adjust our code to be pagesize aware.

Hope that helps

n

On 2007-07-04 07:44:00 +0100, ColinH <ColinH@discussions.microsoft.com> said:

> G'day,
> Tried the suggested code however it only shows the first 1000 members.
> We have some groups with much larger memberships. Any idea how to
> address this?
>
> Thanks,
>
> ColinH
>
> "RichS" wrote:
>
>> The easiest way to do it is if you can use the Quest AD cmdlets and use
>> Get-QADGroupMember from here
>> http://www.quest.com/activeroles-server/arms.aspx
>>
>> if you need to do it with code then
>> $group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org"
>> foreach ($member in $group.member)
>> {
>> $member
>> }
>> --
>> Richard Siddaway
>> Please note that all scripts are supplied "as is" and with no warranty
>> Blog: http://richardsiddaway.spaces.live.com/
>> PowerShell User Group: http://www.get-psuguk.org.uk
>>
>>
>> "CrazyKiwi" wrote:
>>
>>> Hi,
>>>
>>> Can anyone tell me how to enumerate the members of an AD group using
>>> Powershell?
>>>
>>> It seems that the ADSI features are still quite limited so I'm
>>> wondering if there is a quick way to do this.
>>>
>>> Thanks in advance.
>>>
>>> CrazyKiwi

Neil,
Thanks for your reply however it didn't address the issue. When run the
property member = {} and instead the property member:range=0-999 contains the
first 1000 members {cn=..,cn=..,...}

$results.properties.item("member") produced no list
$results.properties.item("member;range=0-999") produced a list of 1000 members

Any ideas?
Regards,

ColinH

"Neil Chambers" wrote:

> There may be other ways (using third party CmdLets) but the way I know
> should work although does require another few lines of code
>
> $group = [adsi]"LDAP://<yourDN>"
> $groupSearcher = New-Object DirectoryServices.DirectorySearcher($group)
> $groupSearcher.PageSize = 1000
> $results = $groupSearcher.FindOne()
> $results.properties.item("member")
> <list of all members>
>
> The issue is with the page size set on the Domain Controllers. It's
> quite common to set it to 1000 to improve general query performance.
> When that happens we have to adjust our code to be pagesize aware.
>
> Hope that helps
>
> n
>
> On 2007-07-04 07:44:00 +0100, ColinH <ColinH@discussions.microsoft.com> said:
>
> > G'day,
> > Tried the suggested code however it only shows the first 1000 members.
> > We have some groups with much larger memberships. Any idea how to
> > address this?
> >
> > Thanks,
> >
> > ColinH
> >
> > "RichS" wrote:
> >
> >> The easiest way to do it is if you can use the Quest AD cmdlets and use
> >> Get-QADGroupMember from here
> >> http://www.quest.com/activeroles-server/arms.aspx
> >>
> >> if you need to do it with code then
> >> $group = [ADSI] "LDAP://cn=Accounts,ou=AllGroups,dc=starking,dc=org"
> >> foreach ($member in $group.member)
> >> {
> >> $member
> >> }
> >> --
> >> Richard Siddaway
> >> Please note that all scripts are supplied "as is" and with no warranty
> >> Blog: http://richardsiddaway.spaces.live.com/
> >> PowerShell User Group: http://www.get-psuguk.org.uk
> >>
> >>
> >> "CrazyKiwi" wrote:
> >>
> >>> Hi,
> >>>
> >>> Can anyone tell me how to enumerate the members of an AD group using
> >>> Powershell?
> >>>
> >>> It seems that the ADSI features are still quite limited so I'm
> >>> wondering if there is a quick way to do this.
> >>>
> >>> Thanks in advance.
> >>>
> >>> CrazyKiwi
>
>
>

On Wed, 4 Jul 2007 19:40:00 -0700, ColinH
<ColinH@discussions.microsoft.com> wrote:

>Neil,
>Thanks for your reply however it didn't address the issue. When run the
>property member = {} and instead the property member:range=0-999 contains the
>first 1000 members {cn=..,cn=..,...}
>
>$results.properties.item("member") produced no list
>$results.properties.item("member;range=0-999") produced a list of 1000 members
>
>Any ideas?
>Regards,
>
>ColinH
>

Maybe take a look at the following pages:

Enumerating Groups That Contain Many Members
http://msdn2.microsoft.com/en-us/library/ms676302.aspx

Enumerating Members in a Large Group
http://msdn2.microsoft.com/en-us/library/ms180907.aspx

Searching Using Range Retrieval
http://msdn2.microsoft.com/en-us/library/aa367017.aspx

Attribute Range Retrieval
http://msdn2.microsoft.com/en-us/library/aa772308.aspx

HTH
Chris

On 5 Jul, 10:01, Chris Warwick <n...@remove.this.bit.nuney.com> wrote:
> On Wed, 4 Jul 2007 19:40:00 -0700, ColinH
>
> <Col...@discussions.microsoft.com> wrote:
> >Neil,
> >Thanks for your reply however it didn't address the issue. When run the
> >property member = {} and instead the property member:range=0-999 contains the
> >first 1000 members {cn=..,cn=..,...}
>
> >$results.properties.item("member") produced no list
> >$results.properties.item("member;range=0-999") produced a list of 1000 members
>
> >Any ideas?
> >Regards,
>
> >ColinH
>
> Maybe take a look at the following pages:
>
> Enumerating Groups That Contain Many Membershttp://msdn2.microsoft.com/en-us/library/ms676302.aspx
>
> Enumerating Members in a Large Grouphttp://msdn2.microsoft.com/en-us/library/ms180907.aspx
>
> Searching Using Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa367017.aspx
>
> Attribute Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa772308.aspx
>
> HTH
> Chris

I have also some more information and examples in PowerShell on my old
blog here :

http://mow001.blogspot.com/2006/04/l...-in-monad.html

Greetings /\/\o\/\/
http://thePowerShellGuy.com

G'day,

Thanks to you both for your quick response. I used range retrieval to
return the results. I am using PowerShell to clean up a nasty four-way
x-domain / x-forest migration. Looking forward to the next PS release.

Regards,

ColinH

"to.mow@home.nl" wrote:

> On 5 Jul, 10:01, Chris Warwick <n...@remove.this.bit.nuney.com> wrote:
> > On Wed, 4 Jul 2007 19:40:00 -0700, ColinH
> >
> > <Col...@discussions.microsoft.com> wrote:
> > >Neil,
> > >Thanks for your reply however it didn't address the issue. When run the
> > >property member = {} and instead the property member:range=0-999 contains the
> > >first 1000 members {cn=..,cn=..,...}
> >
> > >$results.properties.item("member") produced no list
> > >$results.properties.item("member;range=0-999") produced a list of 1000 members
> >
> > >Any ideas?
> > >Regards,
> >
> > >ColinH
> >
> > Maybe take a look at the following pages:
> >
> > Enumerating Groups That Contain Many Membershttp://msdn2.microsoft.com/en-us/library/ms676302.aspx
> >
> > Enumerating Members in a Large Grouphttp://msdn2.microsoft.com/en-us/library/ms180907.aspx
> >
> > Searching Using Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa367017.aspx
> >
> > Attribute Range Retrievalhttp://msdn2.microsoft.com/en-us/library/aa772308.aspx
> >
> > HTH
> > Chris
>
> I have also some more information and examples in PowerShell on my old
> blog here :
>
> http://mow001.blogspot.com/2006/04/l...-in-monad.html
>
> Greetings /\/\o\/\/
> http://thePowerShellGuy.com
>
>