0 votes

We are using ADSI to pull current members and another attribute and comparing the two attributes. To give some background, we are using this other attribute to house a controlled list of members. This is for compliance reasons. Both attributes are native AD multivalue attributes. If I pull the ad group members using "get-admgroupmember" this number is correct. If I pull just the attribute value using get-admgroup $group -AdaxesService $server -Properties $attribute | Select -expand $attribute, I only get back 1500 values. If I run the same command with the native AD commandlet (get-adgroup), I get back the right number.

I would like to run the ADSI command ($Context.TargetObject.GetEx("Member")) because they seem to be much faster. Is there a possibility of expanding the amount of values that get pulled?

by (2.3k points)

1 Answer

0 votes
by (270k points)
selected by
Best answer

Hello Mark,

To obtain all the members of a group bypassing the 1500 limitation, you need to use Adaxes virtual properties adm-DirectMembersGuid and adm-MembersGuid. The first property is used to retrieve only direct members of a group while the second one is used to retrieve all group members including members of nested groups. For scripts executed via the Run a program or PowerShell script action (e.g. in a custom command configured for the Group object type) the code will be as follows:

$directMembers = $Context.TargetObject.GetEx("adm-DirectMembersGuid")

$allMembers = $Context.TargetObject.GetEx("adm-MembersGuid")

If you need to execute the script outside Adaxes, have a look at the following samples in our SDK: http://adaxes.com/sdk/SampleScripts.GettingGroupMembers.

0

Ok that will work for Members but what about other attributes/properties?

0

Hell Mark,

Sorry for the confusion, but we are not sure what exactly you mean. What attribute are you using? How are values stored in it? The thing is that, per our check by default it is not possible to have a multi-valued attribute with 1500 values. This restriction comes from Active Directory, not Adaxes.

0

No problem. We have a custom AD attribute that has been created exactly like the Member/MemberOf attributes called linked attributes. They can contain over 1500 values. We are using it as a "controlled" list of users that should be members. If someone is added to a group using the wrong process, we check it against this controlled list.

0

Thoughts?

0

I never got an answer on this. Any updates? Thank you.

0

Hello Mark,

Sorry for the confusion, but we are still not sure what exactly you need to achieve. As per our check, it is not possible to have a multi-valued non-DN syntax attribute with 1500 or more values. Could you, please, specify what exactly you store, how and what attribute(s) is used?

0

The memberOf attribute is a type of attribute called a linked attribute. There are others but this is a multi-valued linked attribute. This allows the object to contain more than 1500 values in AD. We created a similar one here to contain the "controlled" members of the group. We then check the controlled members against the members to determine if the person should be in the group or not. We then add or remove in order to get the list back to its controlled values.

Here is a microsoft document on linked and non-linked attributes. https://social.technet.microsoft.com/wiki/contents/articles/31919.active-directory-non-linked-multi-valued-attribute-size-limits.aspx

Also, the values are DNs in the custom attribute, just like members.

0

Hello Mark,

Thank you for the provided details. In this case, you will need to perform a search in the values of the required attribute. It can be done using the below script. In the script, the $attributeName variable specified the LDAP name of the attribute to search in.

$attributeName = "MyDNAttribute" # TODO: modify me

# Search parameters
$firstGroup = $Context.BindToObjectByDN("%distinguishedName%")
$firstGroup.SearchFilter = "(objectClass=*)"
$firstGroup.SearchScope = "ADS_SCOPE_BASE"
$firstGroup.PageSize = 500
$firstGroup.AttributeScopeQuery = $attributeName

try
{
    # Execute search
    $searchIterator = $firstGroup.ExecuteSearch()
    $searchResults = $searchIterator.FetchAll()
}
finally
{
    # Release resources
    if ($searchIterator){ $searchIterator.Dispose() }
}

Related questions

0 votes
1 answer

We have a business rule that will update an AD attribute when a new member is added to a group. This business rule works when we use powershell commands or the admin console ... set to trigger "After adding a member to a group". Thank you for your support!

asked Mar 29, 2023 by mark.it.admin (2.3k points)
0 votes
1 answer

Hello, I'm trying to execute a custom command through a Powershell script, but I'm struggling to pass multiple values to an AD Object Picker parameter. ... , $NULL, $NULL, 0) $obj.ExecuteCustomCommand($command.CommandID, $commandArguments) Thanks in advance!

asked Nov 24, 2021 by KelseaIT (320 points)
0 votes
1 answer

I had a business rules that had a PowerShell script to update User properties in a SQL table. It was working fine. I moved the PowerShell to a custom command so I could ... in the custom command does get the values for the User object. Am I missing something?

asked Jun 2, 2014 by sdavidson (730 points)
0 votes
1 answer

I have made a deprovision custom command. I cannot change the attribute directReports, so was thinking - i could take the people in the directReports field of the manager ... (and its subordinates) that im running the deprovision custom command from. Any tips?

asked Mar 21 by EdgarsABG (50 points)
0 votes
0 answers

Hi Evryone, I am trying to set up an external portal within a new webserver on dmz, and with only access to a webservice created from selfservice. The new webservice is only ... login, only reset password. What I am mising there that its not working? Thanks,

asked Nov 26, 2021 by yagoityd (20 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users