Listing members of Group with >1500 members

I have couple of groups with more than 1500 (some group have 2000+). I need
to get the list of members and be able to a Text file. I tried first using
DSQuery to list the DNs og members, using following command:
dsquery * -filter "&(objectClass=Group)(name=group_name)" -scope subtree
-attr member

I was only able to view first 1500 members only. I tried with other group
names too, with same results.

I then wrote a script to get this information, and that too, returned only
1500 members!! I think there is something I am missing, and your help is
needed to get that "something". Thanks in advance..

Here is a copy of my script:

'---------------------------------------------
'On Error Resume Next
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
dim fs, ts

set fs = createObject("Scripting.fileSystemObject")
set objArgs=wscript.Arguments
strFile = objArgs(0) 'Text file containing list of group names, to get
members of.

set ts = fs.openTextFile(strFile)

while not ts.atEndOfStream
strGroup = trim(ts.readLine)
Set objGroup = GetObject (getObjectDN("group","name",strGroup))

arrMembers = objGroup.GetEx("member")

strSam=""
If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
WScript.Echo "Group " & strGroup & " has no members."
Else
WScript.Echo "Group: " & strGroup & " has following members: "
For Each m in arrMembers
set objGrp = getObject("LDAP://" & m)
strSam = strSam & objGrp.samAccountName & "," & objGrp.displayName
& vbNewLine
Next
wscript.echo strSam
End If
wend

function getObjectDN(objType,strProp,strval)

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 2000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

objCommand.CommandText = "SELECT * FROM 'LDAP://dc=test,dc=myDomain,dc=com'
WHERE objectCategory='" & objType &

"' and '" & strProp & "'='" & strVal & "'"
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
getObjectDN=objRecordSet.Fields("adsPath").Value
end function
'------------------------------------------------------------

--
Umesh

"Old programmers never die. They just terminate and stay resident."

You need to use ADO range limits to overcome this limitation. I have an
VBScript program demonstrating this linked here:

http://www.rlmueller.net/DocumentLargeGroup.htm

The limit is 1000 in W2k networks, 1500 in w2k3.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

>I have couple of groups with more than 1500 (some group have 2000+). I need
> to get the list of members and be able to a Text file. I tried first using
> DSQuery to list the DNs og members, using following command:
> dsquery * -filter "&(objectClass=Group)(name=group_name)" -scope subtree
> -attr member
>
> I was only able to view first 1500 members only. I tried with other group
> names too, with same results.
>
> I then wrote a script to get this information, and that too, returned only
> 1500 members!! I think there is something I am missing, and your help is
> needed to get that "something". Thanks in advance..
>
> Here is a copy of my script:
>
> '---------------------------------------------
> 'On Error Resume Next
> Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
> dim fs, ts
>
> set fs = createObject("Scripting.fileSystemObject")
> set objArgs=wscript.Arguments
> strFile = objArgs(0) 'Text file containing list of group names, to get
> members of.
>
> set ts = fs.openTextFile(strFile)
>
> while not ts.atEndOfStream
> strGroup = trim(ts.readLine)
> Set objGroup = GetObject (getObjectDN("group","name",strGroup))
>
> arrMembers = objGroup.GetEx("member")
>
> strSam=""
> If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
> WScript.Echo "Group " & strGroup & " has no members."
> Else
> WScript.Echo "Group: " & strGroup & " has following members: "
> For Each m in arrMembers
> set objGrp = getObject("LDAP://" & m)
> strSam = strSam & objGrp.samAccountName & "," &
> objGrp.displayName
> & vbNewLine
> Next
> wscript.echo strSam
> End If
> wend
>
> function getObjectDN(objType,strProp,strval)
>
> Const ADS_SCOPE_SUBTREE = 2
>
> Set objConnection = CreateObject("ADODB.Connection")
> Set objCommand = CreateObject("ADODB.Command")
> objConnection.Provider = "ADsDSOObject"
> objConnection.Open "Active Directory Provider"
> Set objCommand.ActiveConnection = objConnection
>
> objCommand.Properties("Page Size") = 2000
> objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
>
> objCommand.CommandText = "SELECT * FROM
> 'LDAP://dc=test,dc=myDomain,dc=com'
> WHERE objectCategory='" & objType &
>
> "' and '" & strProp & "'='" & strVal & "'"
> Set objRecordSet = objCommand.Execute
>
> objRecordSet.MoveFirst
> getObjectDN=objRecordSet.Fields("adsPath").Value
> end function
> '------------------------------------------------------------
>
> --
> Umesh
>
> "Old programmers never die. They just terminate and stay resident."
>

Also, I just noticed you use:

objCommand.Properties("Page Size") = 2000

The maximum value is 1000. Actually, the number is not very important. What
is important is that you turn paging on by assigning some number, say
between 100 and 1000. Once paging is turned on, records are retrieved in
pages, but the number is not the number of records, but something else. It
is a matter of debate what number would be optimal, but the differences
would probably be slight. A larger number could actually be less efficient.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

You're correct Richard. Page Size specifies how much rows will be fetched at
a time, and used for retrieving n number of records at a time, typically used
in client/server VB apps where navigation is needed.

In my case, it is irrelevant, as I just want to retrieve all the records.
but isn't there any option/way to retrieve ALL members of group? I am limited
to 1500 members only.

--
Umesh

"Old programmers never die. They just terminate and stay resident."



"Richard Mueller [MVP]" wrote:

> Also, I just noticed you use:
>
> objCommand.Properties("Page Size") = 2000
>
> The maximum value is 1000. Actually, the number is not very important. What
> is important is that you turn paging on by assigning some number, say
> between 100 and 1000. Once paging is turned on, records are retrieved in
> pages, but the number is not the number of records, but something else. It
> is a matter of debate what number would be optimal, but the differences
> would probably be slight. A larger number could actually be less efficient.
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>

The only method I know is to use ADO range limits.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Umesh Thakur" <UmeshThakur@discussions.microsoft.com> wrote in message
news:D422B4DD-4404-4C7E-8D71-645DAC6520E0@microsoft.com...
> You're correct Richard. Page Size specifies how much rows will be fetched
> at
> a time, and used for retrieving n number of records at a time, typically
> used
> in client/server VB apps where navigation is needed.
>
> In my case, it is irrelevant, as I just want to retrieve all the records.
> but isn't there any option/way to retrieve ALL members of group? I am
> limited
> to 1500 members only.
>
> --
> Umesh
>
> "Old programmers never die. They just terminate and stay resident."
>
>
>
> "Richard Mueller [MVP]" wrote:
>
>> Also, I just noticed you use:
>>
>> objCommand.Properties("Page Size") = 2000
>>
>> The maximum value is 1000. Actually, the number is not very important.
>> What
>> is important is that you turn paging on by assigning some number, say
>> between 100 and 1000. Once paging is turned on, records are retrieved in
>> pages, but the number is not the number of records, but something else.
>> It
>> is a matter of debate what number would be optimal, but the differences
>> would probably be slight. A larger number could actually be less
>> efficient.
>>
>> --
>> Richard Mueller
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>>
>>

Here's a link to sample code that may help

Hi,

I was looking for direct members of a group. I have group names in a text file in this format:

CN=GroupName,OU=Local Access Groups,OU=Security,DC=Domain,DC=com

I am using this code. But I have the same problem. I am getting no more than 1500 users for a group.
***********************************************************
Const ForReading = 1
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile ("Groups.txt", ForReading)

Do Until objTextFile.AtEndOfStream
strNextLine = objTextFile.Readline
arrServiceList = Split(strNextLine , "|")
'Wscript.Echo "Server name: " & arrServiceList(0)
For i = 1 to Ubound(arrServiceList)
'Wscript.Echo "Service: " & arrServiceList(i)


On error resume Next

Set objGroup = GetObject ("LDAP://" & arrServiceList(0))

objGroup.GetInfo

arrMemberOf = objGroup.GetEx("member")

'WScript.Echo "Members:"
For Each strMember in arrMemberOf
strOU1 = Split(arrServiceList(0), "=")
strOU = strOU1(1)
strGroupName1 = Split(strOU, ",")
strGroupName = strGroupName1(0)

strMbr1 = Split(strMember, "=")
strMbr2 = strMbr1(1)
strMbr3 = Split(strMbr2, ",")
strMbr4 = strMbr3(0)
strMbr5 = Replace(strMbr4,"\#","#")


WScript.echo strGroupName & "|" & strMbr5
Next


Next
Loop
********************************************************

Thanks.

anoopam9,

Can you use the below code to enumerate/list members in a large group (over 1500 members)

Code:

---

using System;
using System.Collections;
using System.Collections.Generic;
using System.Text;
using System.DirectoryServices;
using ActiveDs;

namespace DirectoryServices
{
    static class ADGroup
    {
        const string GROUP_PATH = "LDAP://PATHTOGROUPGOESHERE";
        const string MEMBER_PATH = "LDAP://PATHTOUSERGOESHERE";
        const string MEMBER_DISTINGUISHED_NAME = "USERDISTINGUISHEDNAMEGOESHERE";

        public static void ListMembers()
        {
            using (DirectoryEntry DE = new DirectoryEntry(GROUP_PATH))
            {
                IADsMembers groupMembers = (IADsMembers) DE.Invoke("members", null);
                int ctr = 0;
                foreach (object groupMember in groupMembers)
                {
                    IADs user = (IADs)groupMember;

                    ctr = ctr + 1;
                    Console.WriteLine(ctr + " - " + user.Name);
                }
            }
        }
    }
}

---

Thanks Einstein.. I have one more question here

I only have the DistinguishedName like this:

CN=GroupName,OU=Local Access Groups,OU=Security,DC=Domain,DC=com

How can I get the

• Group_Path,
• Member_Path,
• Member_Distinguished_Name

Thanks.

Quote:

---

Originally Posted by anoopam9

Thanks Einstein.. I have one more question here

I only have the DistinguishedName like this:

CN=GroupName,OU=Local Access Groups,OU=Security,DC=Domain,DC=com

How can I get the

• Group_Path,
• Member_Path,
• Member_Distinguished_Name

---

Did you mean the below:

Command to find the LDAP path for OU
Dsquery OU –name "OU Name"

Command to find the LDAP path for group
DSquery group –samid "Group Name"

Command to find the LDAP path for user object
Dsquery OU –name "User Name"

Command to find the LDAP path for computer object
DSquery Computer –name "Computer Name"

Command to find the LDAP path for subnet object
dsquery subnet -name "Subnet"

Command to find the LDAP path for the Site
dsquery site -name "Site Name"

What I am trying to do here is
The first program gets the LDAP path of all the Groups of the domain in a text file in this format

CN=GroupName1,OU=Local Access Groups,OU=Security,DC=Domain,DC=com
CN=GroupName2,OU=Local Access Groups,OU=Security,DC=Domain,DC=com

and then the next program reads the text file to get the direct members of all the groups in one single file. There are like 100's of groups.

For some of the groups where number of members are greater than 1500, the program is fetching only 1500 members and ignoring rest of them.

I am trying to understand here how I can implement it using your program.

Microsoft has implemented a non-standard way of retrieiving members of groups. In Windows 2000 you could get at most 1,000 members. In windows 2003 and later, you can get up to 1,500 in each call. The strategy is to look for a specially formed attribute, member;range=x-y, where x and y are the low and high value to be returned where the difference between is 1,500 or less.

The link below provides a sample of how to implement using Visual Basic .Net. You can try converting to VBScript but with the free Visual Studio .Net Express versions, why bother? If you really must script, then I'd recommend creating a PowerShell version.

The article contains links to Microsoft documentation covering the same topic.