We made urgent changes in the on-premises AD objects, and we like to have them…
Get-ADGroupMember : The size limit for this request was exceeded
The Get-ADGroupMember cmdlet is excellent for getting the AD members from a group. However, this time you run the Get-ADGroupMember cmdlet and get the error: Get-ADGroupMember : The size limit for this request was exceeded. Why is this happening, and what is the solution for this error?
Table of contents
Get-ADGroupMember : The size limit for this request was exceeded
We have the AD group SG_Azure_A and like to get all the members of that group with PowerShell.
Run PowerShell as administrator and run the Get-ADGroupMember cmdlet to get all the members of the group SG_Azure_A.
PS C:\> Get-ADGroupMember -Identity "SG_Azure_A" | Select-Object Name | Sort-Object NameAfter we run the above command, the output in PS shows the error:
Get-ADGroupMember : The size limit for this request was exceeded
At line:1 char:1
+ Get-ADGroupMember -Identity "SG_Azure_A" | Select-Object Name | Sort- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (SG_Azure_A:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8227,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMemberGet-ADGroupMember : The size limit for this request was exceeded
At line:1 char:1
Why do we get this error, and what is the solution for Get-ADGroupMember : The size limit for this request was exceeded?
Maximum size limit Get-ADGroupMember is 5000
The maximum number of group members to retrieve is 5000. So if there are more members in the group than the 5000 limit, the error: Get-ADGroupMember : The size limit for this request was exceeded will show up.
Let’s look at the next step on how to resolve this error.
Solutions to Get-ADGroupMember : The size limit for this request was exceeded
There are two solutions for the error Get-ADGroupMember : The size limit for this request was exceeded.
Solution 1: Run Get-ADGroup cmdlet
The Get-ADGroup cmdlet is different than the Get-ADGroupMember cmdlet. The advantage is that there is no limit to getting the group members.
Get the members of the group by distinguished names.
PS C:\> Get-ADGroup 'SG_Azure_A' -Properties Member | Select-Object -ExpandProperty Member | SortGet the members of the group by name.
PS C:\> Get-ADGroup "SG_Azure_A" -Properties Member | Select-Object -ExpandProperty Member | Get-ADObject | Select Name | Sort NameCount the members in the group.
PS C:\> ((Get-ADGroup "SG_Azure_A" -Properties member).member).countExport the members of the group to CSV file.
In this example, it will export the results to the file exportmembers.csv in the C:\temp directory.
PS C:\> Get-ADGroup "SG_Azure_A" -Properties Member | Select-Object -ExpandProperty Member | Get-ADObject | Select Name | Sort Name | Export-Csv "C:\temp\exportmembers.csv" -Encoding UTF8 -NoTypeInformationThis is what the CSV file looks like.
Copy all the members from the source group to the target group.
PS C:\> Add-ADGroupMember -Identity "SG_Azure_B" -Members (Get-ADGroup "SG_Azure_A" -Properties member).memberSolution 2: Change ADWS configuration parameter
The ADWS (Active Directory Web Services) provides a Web Service interface to instances of the directory service (AD DS and AD LDS) that are running locally on this server. If the service is stopped or disabled, client applications, such as Active Directory PowerShell, will not be able to access or manage any directory service instances that are running locally on the server.
The parameter that you need to add is MaxGroupOrMemberEntries, follow the below steps:
1. Sign in to the Domain Controllers.
2. Open the below file with Notepad.
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config
3. Copy the below text and key.
<!--Specifies the maximum number of group members (recursive or non-recursive), group memberships, and authorization
groups that can be retrieved by the Active Directory module Get-ADGroupMember, Get-ADPrincipalGroupMembership, and
Get-ADAccountAuthorizationGroup cmdlets. Set this parameter to a higher value if you anticipate these cmdlets to
return more than 5000 results in your environment.-->
<add key="MaxGroupOrMemberEntries" value="50000"/>The MaxGroupOrMemberEntries configuration parameter applies only to the three Active Directory module cmdlets: Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup.
4. Paste the text and key into the config file.
In this example, the value is set to 50000 (this will retrieve 50000 items).
5. Save the config file.
6. Run the command in PowerShell to restart the ADWS service.
PS C:\> Restart-Service -Name ADWS7. Run the Get-ADGroupMember cmdlet to get the group members or copy members from one AD group to another.
PS C:\> Get-ADGroupMember -Identity "SG_Azure_A" | Select-Object Name | Sort-Object NameThat’s it!
Read more: Export AD group members with PowerShell »
Conclusion
You learned why the error Get-ADGroupMember : The size limit for this request was exceeded appears. The solution to this problem is to use the Get-ADGroup cmdlet instead. Another method is to add the MaxGroupOrMemberEntries parameter in the ADWS config file. After that, you can run the Get-ADGroupMember cmdlet.
Did you enjoy this article? You may also like Compare AD group members with PowerShell. Don’t forget to follow us and share this article.
What Others Are Reading
Thank you very much, worked perfectly for a 7k member group I needed to get into a spread sheet for auditing.
With your first proposed fix, is it possible to use the switch -Recursive ?
Because this is most often when that swicth is used (to count members into nested groups) that this error occurs …
Thank you. That was helpful
Thanks for helpful post.