Author Posts

December 23, 2013 at 6:41 am

Hello everyone,

I'm working on a collection of scripts to check and update the members of local groups across a range of servers following Richard's excellent example available on the Hey, Scripting Guy! blog. Everything is fine save for the fact that each of the commands takes _forever_ to run. I've tried the following on a number of 2012 R2 and 8.1 workstations on the domain:

$group = Get-CimInstance -ClassName Win32_Group  -Filter "Name = 'Administrators'"
Get-CimAssociatedInstance -InputObject $group -ResultClassName Win32_UserAccount | select -ExpandProperty Caption

All of the machines are of a decent specification and connected directly to the LAN but regardless of which one I choose Measure-Command reports an average run time of around 20 minutes. It's the same whether I go for the CIM approach, the WMI approach or the AccountManagement class approach.

Can anyone suggest what I might be doing wrong?

Many thanks in advance.


December 23, 2013 at 6:49 am

Have you checked to see if it's actually enumerating from the domain as well?

I ask because in most situations, querying Win32_UserAccount will get you the domain user list as well, which will obviously take a lot longer. That's built into how the class works in the WMI repository, so how you access it – DCOM, CIM, whatever – wouldn't matter. Note the docs for Win32_UserAccount, which say, "Note Because both the Name and Domain are key properties, enumerating Win32_UserAccount on a large network can negatively affect performance. Calling GetObject or querying for a specific instance has less impact." Win32_Group is similar.

I tend to stick with the old-school WinNT:\\ ADSI provider when I want to work with local groups, although it's definitely more work since there's nothing as convenient as an association class. There's certainly other approaches others might suggest, but since I have so much history in VBScript, that's what I tend to do.

December 23, 2013 at 8:02 am

Have you checked to see if it's actually enumerating from the domain as well?

I have not, no, but that'd make perfect sense as our AD is enormous (terrifyingly so). I'll look over the Win32_UserAccount documentation as you recommend and take a look at the ADSI provider. Having never used VBScript that syntax always looks a little ... daunting. =)

Thanks for the lightning fast response.