Large Kerberos tokens (caused by too many groups listed in them) can be an issue in some environments (I’ve just had a similar trouble myself in an ADFS deployment). Luckily PowerShell is here to help. This quick script will list all users who are members of more than 75 groups:
$limit = 75 Get-QADUser -SizeLimit 0 -DontUseDefaultIncludedProperties | ForEach-Object { $groups = Get-QADGroup -ContainsIndirectMember $_.DN -SizeLimit $limit ` -DontUseDefaultIncludedProperties -WarningAction SilentlyContinue if ($groups.Count -ge $limit) { $_ } }
Here’s a quick overview of what the script is doing:
- I assign the limit (
75) to a variable. This is just for my convenience of reuse. E.g. I could turn this line intoparam($limit = 75)– and save this as a parameterized script or turn it into a function. - I user
Get-QADUserto retrieve all (-SizeLimit 0) user accounts from my current domain and I make sure to not retrieve any attributes along – so I save memory and improve performance (-DontUseDefaultIncludedProperties) - For each user in my domain, I retrieve the first 75 (
-SizeLimit $limit) groups to which the user belongs directly or through nesting (-ContainsIndirectMember $_.DN). There’s obviously no need to retrieve all groups – we just need to know if the user reached the limit. Again, we do not need any attributes (-DontUseDefaultIncludedProperties). I also tell PowerShell to not warn me if there are more groups than the size limit I specified (-WarningAction SilentlyContinue). - Finally, if indeed we reached the limit, I output that user object.
You can obviously then just see the list on the screen or output it to CSV or HTML report.
Tags: AD, AD cmdlets, Active Directory, Examples, PowerShell, cmdlets, one-liner, oneliner
Subscribe by email
1 Response to “Find users in too many groups”