The admins Toolbox- Powershell has limits… go old school! Dsquery

Hi All,  the other day I had what I thought was a simple request, “create a report for all empty groups in the domain”.  I thought to myself, that sounds easy enough. I should be able to use “Get-ADGroup piped to Get-ADGroupMember where member  = 0 ” output to file DONE!

Here is my one-liner . I am setting the results as a variable, that will allow me  to work with the output later.

$emptyGroups = Get-ADGroup -Filter * | Where-Object {@(Get-ADGroupMember $_).Length -eq 0}

Output to screen

Write-host $emptyGroups.count -ForegroundColor Green “Number of empty groups”

After a few minutes  I received the following error

“Get-ADGroupMember : The size limit for this request was exceeded At line:1 char:60 + $emptyGroups = Get-ADGroup -Filter * | Where-Object {@(Get-ADGroupMember $_) … + ~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (CN=Domain Compu…t,DC=xxx,DC=org:ADGroup) [Get-ADGroupMember], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:8227,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember “

A couple of quick  searches later I found the answer,  it looks like it is a limitation imposed by the Active Directory Web Service. ADWS is a requirement for utilizing the ActiveDirectoy module for PowerShell. Now do I change the Microsoft.ActiveDirectory.WebServices.exe.config on every domain controller or find another way to get my report? Updating configs on DC requires change management and approval, I will schedule that change for another day.  Now back to the task at hand. I was looking for empty groups, not ones with over 5000 users. What else can query AD? Then I remembered DSQUERY command line for querying AD that should work. Lets see if it will query for groups

PS c:>Dsquery

dsquery computer – finds computers in the directory.
dsquery contact – finds contacts in the directory.
dsquery subnet – finds subnets in the directory.
dsquery group – finds groups in the directory.
dsquery ou – finds organizational units in the directory.
dsquery site – finds sites in the directory.
dsquery server – finds AD DCs/LDS instances in the directory.
dsquery user – finds users in the directory.
dsquery quota – finds quota specifications in the directory.
dsquery partition – finds partitions in the directory.
dsquery * – finds any object in the directory by using a generic LDAP query.

 

Now lets see if I can find the empty groups. Using the built in search options. 

The exclamation point – ! – indicates a NOT filter.  Should list all the groups that do not have members. 

-limit <NumberOfObjects>  Specifies the number of objects to return that matches the criteria that you specify. If you specify a value of 0 for <NumberOfObjects>, this parameter returns all matching objects. If you do not specify this parameter, dsquery displays the first 100 results by default.

C:\>dsquery group “(&(!member=*))” -limit 0

dsquery failed:No superior reference has been configured for the directory service. The directory service is therefore unable to issue referrals to objects outside this forest.

Hmm, so that did not work. Let see here maybe search for  everything “*” and then apply a filter for object type group.

 

DSQuery * -Filter “(&(objectClass=group)(!member=*))” -Limit 0

-filter <LDAPFilter>  Specifies to use an explicit search filter, <LDAPFilter>, in the LDAP search filter format. For example, a valid search filter is (&(objectCategory=Person)(sn=smith*)). The default value for <LDAPFilter> is (objectClass=*).

That worked, woohoo! Now lets see if I can run that from powershell.

$emptygroupsdsq = $(DSQuery  *  -Filter “(&(objectClass=group)(!member=*))” -Limit 0 )

Humm the output is DN I wonder if I can clean that up?  I should be able to pipe it to a regular expression.

$emptygroupsdsq = $(DSQuery  *  -Filter “(&(objectClass=group)(!member=*))” -Limit 0 ) | %{$_.Split(“=”)[1].replace(“,OU”,””).replace(“,CN”,””)}

That did it, now I have a human readable report.  Now about updating Microsoft.ActiveDirectory.WebServices.exe.config…

By |2016-04-12T11:06:28+00:00March 25th, 2015|PowerShell|0 Comments

About the Author:

Chris Meyers
Consultant – Model Technology Solutions Chris has more than 20 years of industry experience. Prior to his work with Model, Chris worked for one of St. Louis’ largest law firms where his responsibilities ranged from implementing Citrix to automating desktop deployments to virtualizing the datacenter. He has also worked with Microsoft’s Rapid Deployment Program to bring new technologies to one of the three largest consumer credit reporting agencies in the US.

Model Technology

Let us help you get your end point and data center strategy on cruise control!  Ask about our Calibration Assessment.

CONTACT US

  • 12125 Woodcrest Executive Drive, Ste. 204 Creve Coeur, MO 63141
  • (314) 254-4138
  • sales@model-technology.com

RECENT TWEETS