Managing large groups can fail due to limits in Active Directory Web Services when too many members are in a group.
Fails: Get-adgroupmember "LargeGroup"
error: Get-ADGroupMember : The size limit for this request was exceeded
Works: Add-adgroupmember and remove-adgroupmember
Work Around: get-adgroup "LargeGroup" -properties members | select -expand members
This will get the distinguishednames of all members as an array.
-----------------------------------------------
Piping groups or users into a group membership cmdlet to change the group memberships.
1) When you are piping groups into a cmdlet where the user(s) are static. Pipe to Add-ADGroupMember.
Ex: get-adgroup -filter {name -like "HelpDesk*"}| add-adgroupmember -members $userdn
2) When you are piping users into a cmdlet where the group(s) are static. Pipe to Add-ADPrincipalGroupMembership
Ex: get-aduser bob | Add-ADPrincipalGroupMembership -memberof $groupdn
NOTE: Add-ADPrincipalGroupMembership will generate successful security audit events (Directory Service Change) for the addition of the group member, even if they were already a member of the group
-----------------------------------------------
When using Add-ADGroupMember with an array of members, if any of them are part of the group already, the whole operation will fail. Its best to try adding one at a time.
No comments:
Post a Comment