Get-ADGroupMember：已超出此请求的大小限制 [英] Get-ADGroupMember : The size limit for this request was exceeded

问题描述

我正在尝试从一个文本文件中拉出群组，而我的群组中的一个群组太大，有80,000个人。

I am trying to pull groups in from a text file and one of my groups is too large, 80,000 people.

我该如何工作l，

$groups = Get-Content c:\temp\ADGroups.txt

foreach($group in $groups) {
    @(Get-ADGroup $group -Properties Member| Select-Object -ExpandProperty Member).Count
    Get-ADGroupMember -Identity $group |
        Get-ADObject -Properties Name, DisplayName |
        Select-Object -Property @{n="Username";e={$_.Name}}, DisplayName,
            @{n="AD Group";e={$group}} |
        Export-Csv C:\Users\Desktop\GroupsInfo.CSV -NoTypeInformation -Append
}

推荐答案

Get-ADGroupMember 可以返回的对象数受 ADWS （Active Directory Web服务）：

The number of objects that Get-ADGroupMember can return is restricted by a limit in the ADWS (Active Directory Web Services):

MaxGroupOrMemberEntries

5000

指定Active Directory模块 Get-ADGroupMember ， Get-ADPrincipalGroupMembership 和 Get-ADAccountAuthorizationGroup cmdlet。如果您期望这些cmdlet在您的环境中返回5000多个结果，请将此参数设置为更高的值。

Specifies the maximum number of group members (recursive or non-recursive), group memberships, and authorization groups that can be retrieved by the Active Directory module Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup cmdlets. Set this parameter to a higher value if you anticipate these cmdlets to return more than 5000 results in your environment.

根据此线程，您应该可以通过查询组对象并扩展其成员属性（如果您不能增加服务限制）：

According to this thread you should be able to work around it by querying group objects and expanding their member property (if you can't increase the limit on the service):

Get-ADGroup $group -Properties Member |
    Select-Object -Expand Member |
    Get-ADUser -Property Name, DisplayName

但是请注意，这很可能会速度慢，因为您将发送数千个请求。最好为所有用户建立一个哈希表：

Beware, though, that this is likely to be slow, because you'll be sending thousands of requests. It might be better to build a hashtable of all users:

$users = @{}
Get-ADUser -Filter '*' -Property Name, DisplayName | ForEach-Object {
    $users[$_.DistinguishedName] = $_
}

以便您可以按其专有名称查找它们：

so that you can look them up by their distinguished name:

Get-ADGroup $group -Properties Member |
    Select-Object -Expand Member |
    ForEach-Object { $users[$_] }

这篇关于Get-ADGroupMember：已超出此请求的大小限制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！