Find large AD groups

Here’s a quick script which I wrote yesterday for one of our professional services engineers. Basically they wanted to give customer a report for large groups, i.e. groups with more than certain number of user accounts including the ones in nested groups.

This turned out to be very straight-forward with QAD cmdlets.

The script is below:

function Get-LargeADGroup {
param($limit = 75)

 Get-QADGroup | Foreach-Object {
   $members = $_ |
           Get-QADGroupMember -Indirect -Type 'user' `
              -DontUseDefaultIncludedProperties `
              -SizeLimit ($limit+1) -WarningAction SilentlyContinue 
   if ( ($members -ne $null) -and
        ($members.gettype().Name -eq 'Object[]') -and
        ($members.Count -ge $limit)) {
     $_
   }
 }
}

#Usage
Get-LargeADGroup -limit 75 | Select Name, DN | Export-Csv c:\largegroups.csv

One trick worth pointing out is the use of -SizeLimit to not retrieve all members of the group – after all I just need to know if there is more than certain number of them.

Hope this helps!🙂

8 Responses to “Find large AD groups”


  1. 1 Chris Brinkley September 8, 2009 at 7:46 pm

    The -sizelimit trick is great, hadn’t thought of it. Thanks!

  2. 2 Rick September 10, 2009 at 8:11 pm

    While exporting to CSV you may want to cut down the Groups attributes by using the Select command. The default will give you a lot of things that you don’t like.

    Get-LargeADGroup -limit 75 | Select name,dn | Export-Csv c:\temp\largegroups.csv

  3. 4 Dmitry Sotnikov September 10, 2009 at 8:34 pm

    Indeed. Thanks for the great point Rick!


  1. 1 Want to find your largeest AD groups? – Bobel's Active Directory, Identity, Entitlement & Access Blog Trackback on September 8, 2009 at 9:11 pm
  2. 2 Fastest way to retrieve AD objects « Dmitry’s PowerBlog: PowerShell and beyond Trackback on September 10, 2009 at 8:01 pm
  3. 3 List all empty OUs « Dmitry’s PowerBlog: PowerShell and beyond Trackback on October 2, 2009 at 3:16 pm
  4. 4 Want to find your largeest AD groups? | Bob's Identity & Access Blog Trackback on July 5, 2013 at 5:17 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

September 2009
M T W T F S S
« Aug   Oct »
 123456
78910111213
14151617181920
21222324252627
282930  

%d bloggers like this: