Results 1 to 12 of 12

Thread: Listing members of Group with >1500 members

  1. #1
    Umesh Thakur Guest

    Listing members of Group with >1500 members

    I have couple of groups with more than 1500 (some group have 2000+). I need
    to get the list of members and be able to a Text file. I tried first using
    DSQuery to list the DNs og members, using following command:
    dsquery * -filter "&(objectClass=Group)(name=group_name)" -scope subtree
    -attr member

    I was only able to view first 1500 members only. I tried with other group
    names too, with same results.

    I then wrote a script to get this information, and that too, returned only
    1500 members!! I think there is something I am missing, and your help is
    needed to get that "something". Thanks in advance..

    Here is a copy of my script:

    '---------------------------------------------
    'On Error Resume Next
    Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
    dim fs, ts

    set fs = createObject("Scripting.fileSystemObject")
    set objArgs=wscript.Arguments
    strFile = objArgs(0) 'Text file containing list of group names, to get
    members of.

    set ts = fs.openTextFile(strFile)

    while not ts.atEndOfStream
    strGroup = trim(ts.readLine)
    Set objGroup = GetObject (getObjectDN("group","name",strGroup))

    arrMembers = objGroup.GetEx("member")

    strSam=""
    If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    WScript.Echo "Group " & strGroup & " has no members."
    Else
    WScript.Echo "Group: " & strGroup & " has following members: "
    For Each m in arrMembers
    set objGrp = getObject("LDAP://" & m)
    strSam = strSam & objGrp.samAccountName & "," & objGrp.displayName
    & vbNewLine
    Next
    wscript.echo strSam
    End If
    wend

    function getObjectDN(objType,strProp,strval)

    Const ADS_SCOPE_SUBTREE = 2

    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand = CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    Set objCommand.ActiveConnection = objConnection

    objCommand.Properties("Page Size") = 2000
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

    objCommand.CommandText = "SELECT * FROM 'LDAP://dc=test,dc=myDomain,dc=com'
    WHERE objectCategory='" & objType &

    "' and '" & strProp & "'='" & strVal & "'"
    Set objRecordSet = objCommand.Execute

    objRecordSet.MoveFirst
    getObjectDN=objRecordSet.Fields("adsPath").Value
    end function
    '------------------------------------------------------------

    --
    Umesh

    "Old programmers never die. They just terminate and stay resident."


  2. #2
    Richard Mueller [MVP] Guest

    Re: Listing members of Group with >1500 members

    You need to use ADO range limits to overcome this limitation. I have an
    VBScript program demonstrating this linked here:

    http://www.rlmueller.net/DocumentLargeGroup.htm

    The limit is 1000 in W2k networks, 1500 in w2k3.

    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --

    >I have couple of groups with more than 1500 (some group have 2000+). I need
    > to get the list of members and be able to a Text file. I tried first using
    > DSQuery to list the DNs og members, using following command:
    > dsquery * -filter "&(objectClass=Group)(name=group_name)" -scope subtree
    > -attr member
    >
    > I was only able to view first 1500 members only. I tried with other group
    > names too, with same results.
    >
    > I then wrote a script to get this information, and that too, returned only
    > 1500 members!! I think there is something I am missing, and your help is
    > needed to get that "something". Thanks in advance..
    >
    > Here is a copy of my script:
    >
    > '---------------------------------------------
    > 'On Error Resume Next
    > Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
    > dim fs, ts
    >
    > set fs = createObject("Scripting.fileSystemObject")
    > set objArgs=wscript.Arguments
    > strFile = objArgs(0) 'Text file containing list of group names, to get
    > members of.
    >
    > set ts = fs.openTextFile(strFile)
    >
    > while not ts.atEndOfStream
    > strGroup = trim(ts.readLine)
    > Set objGroup = GetObject (getObjectDN("group","name",strGroup))
    >
    > arrMembers = objGroup.GetEx("member")
    >
    > strSam=""
    > If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
    > WScript.Echo "Group " & strGroup & " has no members."
    > Else
    > WScript.Echo "Group: " & strGroup & " has following members: "
    > For Each m in arrMembers
    > set objGrp = getObject("LDAP://" & m)
    > strSam = strSam & objGrp.samAccountName & "," &
    > objGrp.displayName
    > & vbNewLine
    > Next
    > wscript.echo strSam
    > End If
    > wend
    >
    > function getObjectDN(objType,strProp,strval)
    >
    > Const ADS_SCOPE_SUBTREE = 2
    >
    > Set objConnection = CreateObject("ADODB.Connection")
    > Set objCommand = CreateObject("ADODB.Command")
    > objConnection.Provider = "ADsDSOObject"
    > objConnection.Open "Active Directory Provider"
    > Set objCommand.ActiveConnection = objConnection
    >
    > objCommand.Properties("Page Size") = 2000
    > objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
    >
    > objCommand.CommandText = "SELECT * FROM
    > 'LDAP://dc=test,dc=myDomain,dc=com'
    > WHERE objectCategory='" & objType &
    >
    > "' and '" & strProp & "'='" & strVal & "'"
    > Set objRecordSet = objCommand.Execute
    >
    > objRecordSet.MoveFirst
    > getObjectDN=objRecordSet.Fields("adsPath").Value
    > end function
    > '------------------------------------------------------------
    >
    > --
    > Umesh
    >
    > "Old programmers never die. They just terminate and stay resident."
    >




  3. #3
    Richard Mueller [MVP] Guest

    Re: Listing members of Group with >1500 members

    Also, I just noticed you use:

    objCommand.Properties("Page Size") = 2000

    The maximum value is 1000. Actually, the number is not very important. What
    is important is that you turn paging on by assigning some number, say
    between 100 and 1000. Once paging is turned on, records are retrieved in
    pages, but the number is not the number of records, but something else. It
    is a matter of debate what number would be optimal, but the differences
    would probably be slight. A larger number could actually be less efficient.

    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --



  4. #4
    Umesh Thakur Guest

    Re: Listing members of Group with >1500 members

    You're correct Richard. Page Size specifies how much rows will be fetched at
    a time, and used for retrieving n number of records at a time, typically used
    in client/server VB apps where navigation is needed.

    In my case, it is irrelevant, as I just want to retrieve all the records.
    but isn't there any option/way to retrieve ALL members of group? I am limited
    to 1500 members only.

    --
    Umesh

    "Old programmers never die. They just terminate and stay resident."



    "Richard Mueller [MVP]" wrote:

    > Also, I just noticed you use:
    >
    > objCommand.Properties("Page Size") = 2000
    >
    > The maximum value is 1000. Actually, the number is not very important. What
    > is important is that you turn paging on by assigning some number, say
    > between 100 and 1000. Once paging is turned on, records are retrieved in
    > pages, but the number is not the number of records, but something else. It
    > is a matter of debate what number would be optimal, but the differences
    > would probably be slight. A larger number could actually be less efficient.
    >
    > --
    > Richard Mueller
    > Microsoft MVP Scripting and ADSI
    > Hilltop Lab - http://www.rlmueller.net
    > --
    >
    >
    >


  5. #5
    Richard Mueller [MVP] Guest

    Re: Listing members of Group with >1500 members

    The only method I know is to use ADO range limits.

    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --

    "Umesh Thakur" <UmeshThakur@discussions.microsoft.com> wrote in message
    news:D422B4DD-4404-4C7E-8D71-645DAC6520E0@microsoft.com...
    > You're correct Richard. Page Size specifies how much rows will be fetched
    > at
    > a time, and used for retrieving n number of records at a time, typically
    > used
    > in client/server VB apps where navigation is needed.
    >
    > In my case, it is irrelevant, as I just want to retrieve all the records.
    > but isn't there any option/way to retrieve ALL members of group? I am
    > limited
    > to 1500 members only.
    >
    > --
    > Umesh
    >
    > "Old programmers never die. They just terminate and stay resident."
    >
    >
    >
    > "Richard Mueller [MVP]" wrote:
    >
    >> Also, I just noticed you use:
    >>
    >> objCommand.Properties("Page Size") = 2000
    >>
    >> The maximum value is 1000. Actually, the number is not very important.
    >> What
    >> is important is that you turn paging on by assigning some number, say
    >> between 100 and 1000. Once paging is turned on, records are retrieved in
    >> pages, but the number is not the number of records, but something else.
    >> It
    >> is a matter of debate what number would be optimal, but the differences
    >> would probably be slight. A larger number could actually be less
    >> efficient.
    >>
    >> --
    >> Richard Mueller
    >> Microsoft MVP Scripting and ADSI
    >> Hilltop Lab - http://www.rlmueller.net
    >> --
    >>
    >>
    >>




  6. #6
    Join Date
    Feb 2010
    Posts
    3

    Re: Listing members of Group with >1500 members

    Here's a link to sample code that may help

  7. #7
    Join Date
    Sep 2006
    Posts
    3

    Re: Listing members of Group with >1500 members

    Hi,

    I was looking for direct members of a group. I have group names in a text file in this format:

    CN=GroupName,OU=Local Access Groups,OU=Security,DC=Domain,DC=com

    I am using this code. But I have the same problem. I am getting no more than 1500 users for a group.
    ***********************************************************
    Const ForReading = 1
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objTextFile = objFSO.OpenTextFile ("Groups.txt", ForReading)

    Do Until objTextFile.AtEndOfStream
    strNextLine = objTextFile.Readline
    arrServiceList = Split(strNextLine , "|")
    'Wscript.Echo "Server name: " & arrServiceList(0)
    For i = 1 to Ubound(arrServiceList)
    'Wscript.Echo "Service: " & arrServiceList(i)


    On error resume Next

    Set objGroup = GetObject ("LDAP://" & arrServiceList(0))

    objGroup.GetInfo

    arrMemberOf = objGroup.GetEx("member")

    'WScript.Echo "Members:"
    For Each strMember in arrMemberOf
    strOU1 = Split(arrServiceList(0), "=")
    strOU = strOU1(1)
    strGroupName1 = Split(strOU, ",")
    strGroupName = strGroupName1(0)

    strMbr1 = Split(strMember, "=")
    strMbr2 = strMbr1(1)
    strMbr3 = Split(strMbr2, ",")
    strMbr4 = strMbr3(0)
    strMbr5 = Replace(strMbr4,"\#","#")


    WScript.echo strGroupName & "|" & strMbr5
    Next


    Next
    Loop
    ********************************************************

    Thanks.

  8. #8
    Join Date
    Dec 2007
    Posts
    2,297

    Re: Listing members of Group with >1500 members

    anoopam9,

    Can you use the below code to enumerate/list members in a large group (over 1500 members)

    Code:
    using System;
    using System.Collections;
    using System.Collections.Generic;
    using System.Text;
    using System.DirectoryServices;
    using ActiveDs;
    
    namespace DirectoryServices
    {
        static class ADGroup
        {
            const string GROUP_PATH = "LDAP://PATHTOGROUPGOESHERE";
            const string MEMBER_PATH = "LDAP://PATHTOUSERGOESHERE";
            const string MEMBER_DISTINGUISHED_NAME = "USERDISTINGUISHEDNAMEGOESHERE";
    
            public static void ListMembers()
            {
                using (DirectoryEntry DE = new DirectoryEntry(GROUP_PATH))
                {
                    IADsMembers groupMembers = (IADsMembers) DE.Invoke("members", null);
                    int ctr = 0;
                    foreach (object groupMember in groupMembers)
                    {
                        IADs user = (IADs)groupMember;
    
                        ctr = ctr + 1;
                        Console.WriteLine(ctr + " - " + user.Name);
                    }
                }
            }
        }
    }

  9. #9
    Join Date
    Sep 2006
    Posts
    3

    Re: Listing members of Group with >1500 members

    Thanks Einstein.. I have one more question here

    I only have the DistinguishedName like this:

    CN=GroupName,OU=Local Access Groups,OU=Security,DC=Domain,DC=com

    How can I get the
    • Group_Path,
    • Member_Path,
    • Member_Distinguished_Name


    Thanks.

  10. #10
    Join Date
    Dec 2007
    Posts
    2,297

    Re: Listing members of Group with >1500 members

    Quote Originally Posted by anoopam9 View Post
    Thanks Einstein.. I have one more question here

    I only have the DistinguishedName like this:

    CN=GroupName,OU=Local Access Groups,OU=Security,DC=Domain,DC=com

    How can I get the
    • Group_Path,
    • Member_Path,
    • Member_Distinguished_Name
    Did you mean the below:

    Command to find the LDAP path for OU
    Dsquery OU –name "OU Name"

    Command to find the LDAP path for group
    DSquery group –samid "Group Name"

    Command to find the LDAP path for user object
    Dsquery OU –name "User Name"

    Command to find the LDAP path for computer object
    DSquery Computer –name "Computer Name"

    Command to find the LDAP path for subnet object
    dsquery subnet -name "Subnet"

    Command to find the LDAP path for the Site
    dsquery site -name "Site Name"

  11. #11
    Join Date
    Sep 2006
    Posts
    3

    Re: Listing members of Group with >1500 members

    What I am trying to do here is
    The first program gets the LDAP path of all the Groups of the domain in a text file in this format

    CN=GroupName1,OU=Local Access Groups,OU=Security,DC=Domain,DC=com
    CN=GroupName2,OU=Local Access Groups,OU=Security,DC=Domain,DC=com

    and then the next program reads the text file to get the direct members of all the groups in one single file. There are like 100's of groups.

    For some of the groups where number of members are greater than 1500, the program is fetching only 1500 members and ignoring rest of them.

    I am trying to understand here how I can implement it using your program.

  12. #12
    Join Date
    Feb 2010
    Posts
    3

    Re: Listing members of Group with >1500 members

    Microsoft has implemented a non-standard way of retrieiving members of groups. In Windows 2000 you could get at most 1,000 members. In windows 2003 and later, you can get up to 1,500 in each call. The strategy is to look for a specially formed attribute, member;range=x-y, where x and y are the low and high value to be returned where the difference between is 1,500 or less.

    The link below provides a sample of how to implement using Visual Basic .Net. You can try converting to VBScript but with the free Visual Studio .Net Express versions, why bother? If you really must script, then I'd recommend creating a PowerShell version.

    The article contains links to Microsoft documentation covering the same topic.

Similar Threads

  1. Add members to a group using LDIF file
    By Coyoth in forum Active Directory
    Replies: 4
    Last Post: 08-08-2012, 10:38 PM
  2. Display members of a group with more than 1500 members
    By Simon G in forum Windows Server Help
    Replies: 5
    Last Post: 25-10-2011, 12:35 PM
  3. Using DSQUERY to get the members of a Group in AD
    By sevaanan in forum Active Directory
    Replies: 5
    Last Post: 11-11-2009, 12:53 PM
  4. Dsget group members SID
    By Jeremy Smith in forum Active Directory
    Replies: 3
    Last Post: 22-11-2008, 05:32 AM
  5. Export Group Members
    By seankil in forum Windows Server Help
    Replies: 4
    Last Post: 09-04-2008, 09:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •