Group Scanner - GetQADGroupMember
-
07-07-2021 - |
Question
I'm trying to loop through all groups on a specific domain and for each group perform a validation in the number of members, if some group exceeds the threshold then flag it and build a report.
I guess I should get all members and then perform the validation but I'm stuck on this, for example, Get-QADGroupMember can look into all groups or you have to enter a specific group?
If I try with a specific group, for example,
$a = Get-QADGroupMember 'localcontoso.com\Administrators'
I'm getting,
Get-QADGroupMember : Cannot resolve directory object for the given identity: 'localcontoso.com\Administrators'.
Any advice is welcome.
Solution
With the following one-liner you don't have to mess with the format of the group Identity. It get all groups, count threshold members and output only the groups with member count greater than the value specified in $threshold
Get-QADGroup -SizeLimit 0 |
Where-Object { (Get-QADGroupMember $_ | Measure-Object).Count -gt $threshold }
OTHER TIPS
Try this if you query AD from the same domain machine:
$a = Get-QADGroupMember 'localcontoso.com/builtin/Administrators'
or
$a = Get-QADGroupMember Administrators
If you query from a different domain:
$a = Get-QADGroupMember administrators -Service DomainControllerName -credential (get-credential)
note: -credential
may not be required