Get-ADGroupMember limitations #2
Description
Line 148:
$members = Get-ADGroupMember -Identity $group
Ff the group membership ever exceeds 5,000, this will break unless configured to allow a higher value. By default this command will only error return would be:
Get-ADGroupMember -Identity
Get-ADGroupMember : The size limit for this request was exceeded
At line:1 char:1
- Get-ADGroupMember -Identity
-
+ CategoryInfo : NotSpecified: (<group>:ADGroup) [Get-ADGroupMember], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:8227,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
Once the first group fails to return group membership it could assign the devices to other groups until eventually all devices are assigned to all groups. This could really come into play with lifecycle replacements when new devices are added into the environment and the old groups remain. For example:
4k systems are normally assigned to 4 groups for 16k devices.
4k systems or 25% of the environment is staged for lifecycle replacement and the old/new devices are in AD at the same time.
Once a device group has 5001 devices due to this temporary balloon of assets this will start to break. This would require changes to the MaxGroupOrMemberEntries setting in every domain controller. This limitation applies to:
Get-ADGroupMember
Get-ADPrincipalGroupMembership
Get-ADAccountAuthorizationGroup