Unable to get specific attributes while exporting group members

This topic contains 6 replies, has 3 voices, and was last updated by  Ron 3 months ago.

  • Author
    Posts
  • #79750

    Shashank
    Participant

    Hi,

    I am trying to export group members using below Command :
    $group = get-adgroup "distinguishedname of group" -members
    $group.members |get-aduser|select samaccountname, enabled| ft
    Now I also intend to get other attributes for each member like mail, whencreated.

  • #79753

    Kevyn
    Participant

    Ummm....There is no -members parameter for Get-ADGroup. Anyway, I think this is what you're trying to do. When you run Get-ADUser, it only returns a subset of properties for the user. In order to get others that aren't included in that default subset, you have to use the -Properties parameter.

    Get-ADGroupMember "DN of group" | Get-ADUser -Properties Mail,WhenCreated
    
    • #79756

      Shashank
      Participant

      Thanks Kevyn, but is it possible to get all the required information in one command?
      Get-adgroupmember would not fetch more than 1000 members in one go if I am not wrong.
      I'm still trying to get it done as group contains more than 10K users.
      Required information : samaccountname, mail, enabled, whencreated

  • #79757

    Kevyn
    Participant

    No. I'm basically doing what you're doing in your code (You were using two commands: Get-ADGroup & Get-ADUser), but Get-ADGroup was not the right cmdlet to get the group members of the AD Group....Get-ADGroupMember was. What I provided is the most efficient way to do it. As for the required information, SamAccountName is one of the attributes returned in the original subset that AD returns. So, to have all of them, you just need to do the following:

    Get-ADGroupMember "DN of group" | Get-ADUser -Properties Mail,Enabled,WhenCreated
    

    If you just want the 4 properties shown on the screen, you can select them.

    Get-ADGroupMember "DN of group" | Get-ADUser -Properties Mail,Enabled,WhenCreated | Select-Object -Property SamAccountName,Mail,Enabled,WhenCreated
    

    Since there are only 4 properties, it will automatically display as a table.

    • #79760

      Shashank
      Participant

      Thanks Kevyn,
      I will try the command and share the results with you.
      But I doubt if get-adgroupmember will be able to fetch group members more than 1000 which is the reason I took the output in $group.

  • #79769

    Kevyn
    Participant

    I know with Exchange commands (Ex: Get-Mailbox), the default number of objects returned is 1000. For that, you have the -ResultSize parameter that allows you to specify more (up to unlimited), or less. I don't see anything like that for Get-ADGroupMember. In doing some research, I found the following which says that the default limit for the Get-ADGroupMember cmdlet is 5000 and that if you need to be able to have more items returned you have to add a value called MaxGroupOrMemberEntries in the c:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config file. To state the obvious, this would have to be done on all DCs/GCs. There is a warning mentioned in the article, you'll want to make sure to read. Hope this helps.

    http://mctexpert.blogspot.com/2013/07/how-to-exceed-maximum-number-of-allowed.html

  • #79871

    Ron
    Participant

    You can get the member DNs from Get-ADGroup, and it may not suffer from the limit problem.

    Get-ADGroup groupname -Properties members|select -expand members

You must be logged in to reply to this topic.