Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Monday, July 22, 2013

How to Exceed the Maximum Number of Allowed Objects from Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup cmdlets

One of the reason why the cmdlets in the ActiveDirectory module limit the properties from objects or the number of objects returned is because you may accidentaly ask for 2 billion objects if you are not careful.  A recent question from one of my posts asked about how to exceed the threshold for Get-ADGroupMember. 
The error that the user received was:
Get-ADGroupMember : The size limit for this request was exceeded
The default limit is 5000 objects.  This is a limitation imposed by the Active Directory Web Service.  ADWS is a requirement for utilizing the ActiveDirectoy module for PowerShell. If you have multiple instances on ADWS on multiple Domain Controllers, you will need to perform this procedure on each one.  Since you do not know for sure which DC your client will bind to, changing this setting on all of the ADWS services will prevent random issues from happening in the future.
On the file c:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config
After the <appSettings> tag, place this entry:
<add key=”MaxGroupOrMemberEntries” value=”10000”/>
This assumes that you need to return up to 10000 objects from these cmdlets.  Also take note that you will still have a 5 minute timeout imposed on all your requests.  If you cannot recover the information in 5 minutes, the request will fail.  Filter your request to contain only the information that you need to work with.
Your next steep is to stop and then restart the ADWS service on the Domain Controller.