Group Scanner - GetQADGroupMember

Question

I'm trying to loop through all groups on a specific domain and for each group perform a validation in the number of members, if some group exceeds the threshold then flag it and build a report.

I guess I should get all members and then perform the validation but I'm stuck on this, for example, Get-QADGroupMember can look into all groups or you have to enter a specific group?

If I try with a specific group, for example,

$a = Get-QADGroupMember 'localcontoso.com\Administrators'

I'm getting,

Get-QADGroupMember : Cannot resolve directory object for the given identity: 'localcontoso.com\Administrators'.

Any advice is welcome.

Answer 1

With the following one-liner you don't have to mess with the format of the group Identity. It get all groups, count threshold members and output only the groups with member count greater than the value specified in $threshold

Get-QADGroup -SizeLimit 0 | 
Where-Object { (Get-QADGroupMember $_ | Measure-Object).Count -gt $threshold }

Answer 2

Try this if you query AD from the same domain machine:

$a = Get-QADGroupMember 'localcontoso.com/builtin/Administrators'

or

$a = Get-QADGroupMember Administrators

If you query from a different domain:

$a = Get-QADGroupMember administrators -Service DomainControllerName -credential (get-credential)

note: -credential may not be required