Exporting large domain group

  • 39 Views
  • Last Post 17 August 2015
jeremy.stump posted this 17 August 2015

I need a cmd\vb\ps script that will copy our large Domain Users group and copy the members to another group, clean that up and use it within Citrix to lock down an application more effectively. I am getting limit exceeded when I try to do it and need this done asap.   Jeremy Stump | System Admin III | Information Technology | BMHCC - CORPORATE
Phone: (901) 227-8205 | Jeremy.Stump@xxxxxxxxxxxxxxxx
Opinions expressed above are not necessarily those of Baptist.

This message and any files transmitted with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient of this message, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender of the error by reply email, disregard the foregoing messages, and delete it immediately.

P Please consider the environment before printing this email...

Order By: Standard | Newest | Votes
dsolodow posted this 17 August 2015

I’d strongly suggest using PS.

Approx how many users are you talking? If your forest functional level isn’t Windows 2003 or higher, there’s a limit of about 5,000 users in a group. If your functional level is higher, there isn’t really a limit.

 

 

 



DAMIEN SOLODOW

Senior Systems Engineer

317.447.6033 (office)

317.447.6014 (fax)

HARRISON COLLEGE



 

show

Chris-Dent posted this 17 August 2015

Ask for the users instead of asking for the group members perhaps:
$DomainUsers = Get-ADGroup "Domain Users"
Get-ADUser -LdapFilter "(|(memberOf=$($DomainUsers.DistinguishedName))(primaryGroupID=513))" -ResultSetSize $null | ForEach-Object {
  Add-ADGroupMember SomeOtherGroup -Member $_.DistinguishedName
}
Might work, can't test it at the moment. Obviously you'll need to update the value for SomeOtherGroup.
Cheers,
Chris


show

Cynthia posted this 17 August 2015

Have you tried doing through Active Directory Administrative Center?

It’s quick, easy, and no script needed.

 



Cynthia Erno

Data Center Hosting, Windows Unit

 

Office of Information Technology Services (ITS)

50 Wolf Rd.,  Albany, NY 12204

(518) 408-5506

cynthia.erno@xxxxxxxxxxxxxxxx

L3 DCH WIN     

ç   Windows Server group ITSM





 

show

jeremy.stump posted this 17 August 2015

Functional lever is 2003 right now, about a month away from moving to 2008r2. Do you have a ps script that actually works?  

show

Chris-Dent posted this 17 August 2015

See above.

show

jeremy.stump posted this 17 August 2015

I did actually, when I click on Domain Users and list members I know there are 50k users + in there but the console only shows 2 users, very strange. I am logging in with DA privs btw straight on the 2008R2 dc or my win8 machine either way.   

show

dsolodow posted this 17 August 2015

This should enumerate your “Domain Users” members:

get-aduser

-Properties

primarygroupid

-Filter

{primarygroupid

-eq

'513'}

-ResultSetSize

$NULL

-ResultPageSize

1000



 

Dumping that to a CSV or just piping it to “add-adgroupmember” should do the trick for you.

 



DAMIEN SOLODOW

Senior Systems Engineer

317.447.6033 (office)

317.447.6014 (fax)

HARRISON COLLEGE



 

show

Chris-Dent posted this 17 August 2015

Likely to be because most users have it as the primaryGroup so it cannot be enumerated using memberOf alone. You must also look at the primaryGroupID on the member object.
Given the size it may also be prudent to filter out people already in the intended group from the search criteria:
$NewGroup = Get-ADGroup "Some Group"
$DomainUsers = Get-ADGroup "Domain Users"
Get-ADUser -LdapFilter "(&(|(memberOf=$($DomainUsers.DistinguishedName))(primaryGroupID=513))(!memberOf=$($NewGroup.distinguishedName)))" -ResultSetSize $null | ForEach-Object {
  Add-ADGroupMember $NewGroup.distinguishedName -Member $.DistinguishedName
}
If you can't use the ActiveDirectory module it gets a bit more complicated. Something like this (again, untested because I'm at home):
# This will be repeated, just to clear it down the searcher
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.Filter = "(&(objectClass=group)(name=YourNewGroup))"
$NewGroup = $Searcher.FindOne().GetDirectoryEntry()
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.Filter = "(&(objectClass=group)(name=Domain Users))"
$Searcher.PropertiesToLoad.AddRange(@("name", "distinguishedName", "primaryGroupToken"))
$DomainUsers = $Searcher.FindOne() | ForEach-Object { $
.Properties['distinguishedname'] }
$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.Filter = "(&(objectClass=user)(objectCategory=person)(|(memberOf=$($DomainUsers.Properties['distinguishedname'])(primaryGroupID=$($DomainUsers.Properties['primarygrouptoken']))))"
$null = $Searcher.PropertiesToLoad.Add("distinguishedName")
$Searcher.FindAll() | ForEach-Object {
  $NewGroup.PSBase.Invoke('Add', @("LDAP://$($_.Properties['distinguishedname'])"))
}
Chris


show

Cynthia posted this 17 August 2015

In AD, right click on OU you are trying to get the info from and choose view/Filter options and up the max amount of items to see if that helps?

 



Cynthia Erno

Data Center Hosting, Windows Unit

 

Office of Information Technology Services (ITS)

50 Wolf Rd.,  Albany, NY 12204

(518) 408-5506

cynthia.erno@xxxxxxxxxxxxxxxx

L3 DCH WIN     

ç   Windows Server group ITSM





 

show

dloder posted this 17 August 2015

Be careful.  From an LDAP perspective, the Domain Users group will normally contain zero DNs in the members attribute.  Users get "added" to Domain Users by virtue of their primaryGroupID being 513, unless you've been changing the Primary Group values.  This mechanism was necessary to overcome the 5000 member limit with W2K.
-- http://dloder.blogspot.com --
 




show

jeremy.stump posted this 17 August 2015

This is not a filter issue I have mine set to 999999 and in the Domain Users group I have only like 75k users.  

show

jeremy.stump posted this 17 August 2015

Nice command but what I really need is these same users copied to a new group.  

show

Cynthia posted this 17 August 2015

Ok.. Did you try the global search on the domain name?

 

(The initial value on the filter is to only allow 20,000 but showing only 2?  Very odd.)

 



Cynthia Erno

Data Center Hosting, Windows Unit

 

Office of Information Technology Services (ITS)

50 Wolf Rd.,  Albany, NY 12204

(518) 408-5506

cynthia.erno@xxxxxxxxxxxxxxxx

L3 DCH WIN     

ç   Windows Server group ITSM





 

show

kennedyjim posted this 17 August 2015

   I believe if you add        | Add-ADGroupMember –Identity ‘NewGroup’       to the below you will be all set.

 

show

dsolodow posted this 17 August 2015

“Dumping that to a CSV or just piping it to “add-adgroupmember” should do the trick for you.”

 

Like:

get-aduser -Properties primarygroupid -Filter {primarygroupid -eq '513'} -ResultSetSize $NULL –ResultPageSize |

foreach {add-adgroupmember “my group” –members $_.samaccountname}

 



DAMIEN SOLODOW

Senior Systems Engineer

317.447.6033 (office)

317.447.6014 (fax)

HARRISON COLLEGE



 

show

jeremy.stump posted this 17 August 2015

PS C:\temp> get-aduser -Properties primarygroupid -Filter {primarygroupid -eq '513'} -ResultSetSize $NULL –ResultPageSize | foreach {add-adgroupmember “jstest4000” –members $_.samaccountname}Get-ADUser : Missing an argument for parameter 'ResultPageSize'. Specify a parameter of type 'System.Int32' and tryagain.At line:1 char:95+ ... tSetSize $NULL –ResultPageSize | foreach {add-adgroupmember “jstest4000” –member ...+                    ~~~~~~~~~~~~~~~    + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ParameterBindingException    + FullyQualifiedErrorId : MissingArgument,Microsoft.ActiveDirectory.Management.Commands.GetADUser 

show

dsolodow posted this 17 August 2015

Looks like that got dropped when I did the copy/paste

 

get-aduser -Properties primarygroupid -Filter {primarygroupid -eq '513'} -ResultSetSize $NULL –ResultPageSize 1000 |

foreach {add-adgroupmember “my group” –members $.samaccountname}

 

 



DAMIEN SOLODOW

Senior Systems Engineer

317.447.6033 (office)

317.447.6014 (fax)

HARRISON COLLEGE



 

show

jeremy.stump posted this 17 August 2015

It is working ! thanks so much!  

show

Close