Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
jsclmedave

Administrator
Registered:
Posts: 495
Reply with quote  #1 
Ran into this Friday afternoon.  I knew about the workarounds to get a CSV and a count which is what MGT wanted but now the question's I have are -

  1. Why in the world do we have so many users and not Groups with users in them?  There "may" be a reason but I would think THAT would be our first priority..?
  2. Is this a legacy 2008 R2 Forest / Domain Level issue that will be fixed by going full 2012 R2..?
  3. Is it worth it to change the Microsoft.ActiveDirectory.WebServices.exe.config file on every DC or focus on getting the AD Groups cleaned up or Both..?
  4. Is there now a Group Policy for this setting?
  5. AZURE - is it an issue there as well?

The group in question for us has approx 15,575 Objects in it and that is NOT including the Objects that would not be resolved which raised it's actual total to just over 16,500.



This is the command that was being tried – 
 
Get-ADGroupMember 'BIG DOG' | Select Name 

Get-ADGroupMember : The size limit for this request was exceeded
At line:1 char:1
+ Get-ADGroupMember 'BIG DOG' | Select Name
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (BIG DOG:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : The size limit for this request was exceeded,Microsoft.ActiveDirectory.Management.Comman
   ds.GetADGroupMember


To get a "quick" count I used this simple workaround

$Grp = Get-ADGroup "BIG DOG" -Properties Member
$Grp.Member.Count
16514



To get a list of names I used this which took quite a while to complete but it worked.


$Grp = Get-ADGroup "RES_R1-CORE_EASLIV" -Properties Member | 
Select-Object -ExpandProperty Member |
Get-ADUser | Select Name,SamAccountName,GivenName,SurName | Export-CSV C:\Temp\BIGDOG.csv -Notypeinformation




Which again goes back to the questions listed above.  Thoughts..?





__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 171
Reply with quote  #2 
Can you target a 2012 dc Tim?
__________________
Have SpaceSuit, Will Travel

0
jsclmedave

Administrator
Registered:
Posts: 495
Reply with quote  #3 
Quote:
Originally Posted by Infradeploy
Can you target a 2012 dc Tim?


I should be able too which I will test today to see if I get the same issue, if anything for my sanity...



However, it was determined that YES this is not acceptable!  

So the good news is that this is one of the issues we are cleaning up and now that I brought this AD Group to the correct teams attention, it is now being addressed and will soon be fixed.


I am also recommending this book for causal reading for any other issues we find along the way.


Beyond Blame: Learning From Failure and Success
http://www.amazon.com/gp/product/B016CJ5HUA/ref=dp-kindle-redirect?ie=UTF8&btkr=1




__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 241
Reply with quote  #4 
I think you are hitting a soft-coded limit. Have a look at the parameter maxgroupormemberentries on this page:  https://technet.microsoft.com/en-us/library/dd391908(v=ws.10).aspx
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
jsclmedave

Administrator
Registered:
Posts: 495
Reply with quote  #5 
YEP!  First thing I brought up to them just in case there was another weird Local Company Policy that I had to work around.

MaxGroupOrMemberEntries


5000

Specifies the maximum number of group members (recursive or non-recursive), group memberships, and authorization groups that can be retrieved by the Active Directory module Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup cmdlets. Set this parameter to a higher value if you anticipate these cmdlets to return more than 5000 results in your environment.


__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.