A PowerShell Version 1.0 script to enumerate the direct members of a large Active Directory group. This script uses ADO range retrieval to overcome the limit of 1500 values that can be retrieved for a multi-valued attribute like the "member" attribute of a group.

You can pass the pre-Windows 2000 name (the value of the sAMAccountName attribute) of the group to the script as a parameter, or it will prompt for the group name. The script outputs the distinguished names of all direct members of the group, and then outputs the total number of members. The output should be redirected to a text file.

Note that the "member" attribute of group objects does not include any members that have the group designated as their primary group. For this reason, in most domains the group "Domain Users" will appear to be empty, since by default this is the "primary" group for all users. The same will be true for the group "Domain Computers", since this is the default "primary" group for all computers.

This script demonstrates how to use range retrieval with ADO to handle multi-valued attributes with many values. The script reports if the group could not be found. The script works properly if the group has only a few members, or even no members.

The dsget group command line utility fails if there are more than 1500 members in the group. However, if you have PowerShell version 2.0 and the Active Directory modules that come with Windows Server 2008 R2 or above, you can use Get-ADGroupMember (or even Get-ADObject) to retrieve the membership of large groups.

EnumLargeGroup.txt <<-- Click here to view or download the program