Large Kerberos tokens (caused by too many groups listed in them) can be an issue in some environments (I’ve just had a similar trouble myself in an ADFS deployment). Luckily PowerShell is here to help. This quick script will list all users who are members of more than 75 groups:
$limit = 75 Get-QADUser -SizeLimit 0 -DontUseDefaultIncludedProperties | ForEach-Object { $groups = Get-QADGroup -ContainsIndirectMember $_.DN -SizeLimit $limit ` -DontUseDefaultIncludedProperties -WarningAction SilentlyContinue if ($groups.Count -ge $limit) { $_ } }
Here’s a quick overview of what the script is doing:
- I assign the limit (
75
) to a variable. This is just for my convenience of reuse. E.g. I could turn this line intoparam($limit = 75)
– and save this as a parameterized script or turn it into a function. - I user
Get-QADUser
to retrieve all (-SizeLimit 0
) user accounts from my current domain and I make sure to not retrieve any attributes along – so I save memory and improve performance (-DontUseDefaultIncludedProperties
) - For each user in my domain, I retrieve the first 75 (
-SizeLimit $limit
) groups to which the user belongs directly or through nesting (-ContainsIndirectMember $_.DN
). There’s obviously no need to retrieve all groups – we just need to know if the user reached the limit. Again, we do not need any attributes (-DontUseDefaultIncludedProperties
). I also tell PowerShell to not warn me if there are more groups than the size limit I specified (-WarningAction SilentlyContinue
). - Finally, if indeed we reached the limit, I output that user object.
You can obviously then just see the list on the screen or output it to CSV or HTML report.
Tags: AD, AD cmdlets, Active Directory, Examples, PowerShell, cmdlets, one-liner, oneliner
Hi Dmitry,
this is exactly what i am looking for however i am totally new to powershell.
I set the execution policy to remote signed
i copied your script to a notepad and renamed to usersgroups.ps1.
I also downloaded activeroles management shell (free powershell command)
Then i run this script as .\usersgroups.ps1 after coming to the directory where the script is.
But nothing happens
PLease suggest how to run this script
Really appreciate your help
Thanks
Hari
Hard to tell.
How long did you wait?
Do you get a list of users in your AD if you just execute: Get-QADUser?
What happens if you set the limit to something lower – e.g. 1 instead of 75?
If i just run Get-QADUser,yes i get the entire list
when i try to execute the script again: no matter how many times i try this command, PowerShell will simply display the exact same string value i typed in.
Yes i also try to change the limit to 1 but no luck
So basically its not executing.
Thanks for the prompt response
I think I know the answer. To execute a script in PowerShell you have to use script invocation command and not just the script path:
& .\myscript.ps1
yes i went through the technt article of how to execute the script.
and i am runnin the command & .\usersgroups.ps1
no luck at all
Still doing the same thing
What if you just copy/paste the code into the PowerShell prompt window and press Enter? What happens?
Nothing, its a long script and powershell accepts only one line command
No luck.
Now i am getting error while executing the script
[PS] C:\Documents and Settings\E137706\Desktop>.\group.ps1
Get-QADGroup : A parameter cannot be found that matches parameter name ‘WarningAction’.
At C:\Documents and Settings\E137706\Desktop\group.ps1:5 char:55
+ -DontUseDefaultIncludedProperties -WarningAction <<<< SilentlyContinue
This is weird. Are you on the latest version of QAD cmdlets? (Check the versison on the web site and in your control panel / add/remove programs.)
If so, can you try to debug step-by-step in PowerGUI Script Editor?
If still having trouble – try posting the details to the forums at http://PowerGUI.org
Hey Dmitry
I finally am able to run the script and its giving the desired result. (problem was i was running it o XP machine, later i tried it on 2008 server)
However the one thing i am concerned about is that when you run the script the CPU goes upto 100% when i specify the number as 10, however if i specify the number as 100 or 200 or 300, the cpu goes really hihg (stays on 100%) and it takes a huge amount f time to list the users (i am running this script on a lab domain)
Any suggestions?
Thanks
hAri
PowerShell is quite resource-hungry. 😦 Make sure you have PowerShell 2.0 RTM version – previous versions including 1.0 were much worse. If you are on 2.0, I guess you should just work on the OS level and simply set the powershell.exe process priority to Below Normal…