0 votes

We are using ADSI to pull current members and another attribute and comparing the two attributes. To give some background, we are using this other attribute to house a controlled list of members. This is for compliance reasons. Both attributes are native AD multivalue attributes. If I pull the ad group members using "get-admgroupmember" this number is correct. If I pull just the attribute value using get-admgroup $group -AdaxesService $server -Properties $attribute | Select -expand $attribute, I only get back 1500 values. If I run the same command with the native AD commandlet (get-adgroup), I get back the right number.

I would like to run the ADSI command ($Context.TargetObject.GetEx("Member")) because they seem to be much faster. Is there a possibility of expanding the amount of values that get pulled?

by (6.3k points)

1 Answer

0 votes
by (194k points)

Hello Mark,

To obtain all the members of a group bypassing the 1500 limitation, you need to use Adaxes virtual properties adm-DirectMembersGuid and adm-MembersGuid. The first property is used to retrieve only direct members of a group while the second one is used to retrieve all group members including members of nested groups. For scripts executed via the Run a program or PowerShell script action (e.g. in a custom command configured for the Group object type) the code will be as follows:

$directMembers = $Context.TargetObject.GetEx("adm-DirectMembersGuid")

$allMembers = $Context.TargetObject.GetEx("adm-MembersGuid")

If you need to execute the script outside Adaxes, have a look at the following samples in our SDK: http://adaxes.com/sdk/SampleScripts.GettingGroupMembers.

0

Ok that will work for Members but what about other attributes/properties?

0

Hell Mark,

Sorry for the confusion, but we are not sure what exactly you mean. What attribute are you using? How are values stored in it? The thing is that, per our check by default it is not possible to have a multi-valued attribute with 1500 values. This restriction comes from Active Directory, not Adaxes.

0

No problem. We have a custom AD attribute that has been created exactly like the Member/MemberOf attributes called linked attributes. They can contain over 1500 values. We are using it as a "controlled" list of users that should be members. If someone is added to a group using the wrong process, we check it against this controlled list.

Related questions

0 votes
1 answer

I had a business rules that had a PowerShell script to update User properties in a SQL table. It was working fine. I moved the PowerShell to a custom command so I could ... in the custom command does get the values for the User object. Am I missing something?

asked Jun 2, 2014 by sdavidson (5.1k points)
0 votes
1 answer

It is possible to make the Self Password reset Enrollment page only available from the internal network and block it from the internet ?

asked Jan 18 by wadiheid (250 points)
0 votes
1 answer

During the creation of a new user I want to be able to select the job title from a drop-down list which populates different values based on which Department is selected. Is there a way to achieve this? Thanks. Dario.

asked Oct 2, 2020 by winstonsmith (450 points)
0 votes
1 answer

Is it possible to only allow a user to unlock their account from the web interface? We have a group of Mac users who we'd like to be able to unlock their accounts through the web but use a different service for changing their passwords.

asked Jun 30, 2020 by scoutcor (850 points)
0 votes
1 answer

Hi all, Am trying to convert a mailbox from a user box to a shared box in O365. Have been for the past few weeks even. The ... account the method points at - http://www.adaxes.com/sdk/?ExecuteScriptContextClass.html#executescriptcontext_getoffice365credential

asked Feb 24, 2020 by TheLexicon (700 points)
2,414 questions
2,166 answers
5,833 comments
230,374 users