Getting ActiveDirectory group members using powershell

To get members of a certain group there is a cmd-let called Get-ADGroupMembers. But if a group is large enough (more than 5000 objects) latter command could fail with “”.

To workaround this issue I followed up with:

Get-ADGroup $GroupName -server <server> -Properties Member | Select-Object -ExpandProperty Member | Get-ADObject -Properties <property list> -server <server>

But if a group is large enough (again argh!) command fails with TimeOutException.

Happily I’ve found a script and modified it a little (http://adadmin.blogspot.com/2009/12/get-group-members-of-large-groups-via.html):

function GetGroupMembers([string]$groupName)
{
#get the group
$group = [adsi]("LDAP://$groupName")

#set the inital from value
$from = 0

#escape trigger when the $ds.findall() errors
$all = $false

#array for the members of the group
$members = @()


while (! $all) {
#catch an error and set all to $true to escape
trap{$script:all = $True;continue}

#top end of the range so initally 0-999. a Range of 1000 is used to make sure it works on all versions of AD
$to = $from + 999

#Query the group object for members using "member;range=$from-$to" to just return the range of objects for this pass.
#This will generate an error with an invalid range
$DS = New-Object DirectoryServices.DirectorySearcher($Group,"(objectClass=*)","member;range=$from-$to",'Base')

$allResult = $ds.findOne()
#as the variable name for the group name is not member, but member;range=0-999 etc, the $_.PropertyNames -like 'member;*' catches all instances
$members += $allResult.properties | foreach {$_.item($_.PropertyNames -like 'member;*')}
$all = $allResult.properties["member;range=$from-*"].Count -gt 0

Write-Host "Range" $from "-" $members.Count
#set up the next search range
$from += 1000
}
$members
}