0 votes

We are using ADSI to pull current members and another attribute and comparing the two attributes. To give some background, we are using this other attribute to house a controlled list of members. This is for compliance reasons. Both attributes are native AD multivalue attributes. If I pull the ad group members using "get-admgroupmember" this number is correct. If I pull just the attribute value using get-admgroup $group -AdaxesService $server -Properties $attribute | Select -expand $attribute, I only get back 1500 values. If I run the same command with the native AD commandlet (get-adgroup), I get back the right number.

I would like to run the ADSI command ($Context.TargetObject.GetEx("Member")) because they seem to be much faster. Is there a possibility of expanding the amount of values that get pulled?

by (2.3k points)

1 Answer

0 votes
by (294k points)
selected by
Best answer

Hello Mark,

To obtain all the members of a group bypassing the 1500 limitation, you need to use Adaxes virtual properties adm-DirectMembersGuid and adm-MembersGuid. The first property is used to retrieve only direct members of a group while the second one is used to retrieve all group members including members of nested groups. For scripts executed via the Run a program or PowerShell script action (e.g. in a custom command configured for the Group object type) the code will be as follows:

$directMembers = $Context.TargetObject.GetEx("adm-DirectMembersGuid")

$allMembers = $Context.TargetObject.GetEx("adm-MembersGuid")

If you need to execute the script outside Adaxes, have a look at the following samples in our SDK: http://adaxes.com/sdk/SampleScripts.GettingGroupMembers.

0

Ok that will work for Members but what about other attributes/properties?

0

Hell Mark,

Sorry for the confusion, but we are not sure what exactly you mean. What attribute are you using? How are values stored in it? The thing is that, per our check by default it is not possible to have a multi-valued attribute with 1500 values. This restriction comes from Active Directory, not Adaxes.

0

No problem. We have a custom AD attribute that has been created exactly like the Member/MemberOf attributes called linked attributes. They can contain over 1500 values. We are using it as a "controlled" list of users that should be members. If someone is added to a group using the wrong process, we check it against this controlled list.

0

Thoughts?

0

I never got an answer on this. Any updates? Thank you.

0

Hello Mark,

Sorry for the confusion, but we are still not sure what exactly you need to achieve. As per our check, it is not possible to have a multi-valued non-DN syntax attribute with 1500 or more values. Could you, please, specify what exactly you store, how and what attribute(s) is used?

0

The memberOf attribute is a type of attribute called a linked attribute. There are others but this is a multi-valued linked attribute. This allows the object to contain more than 1500 values in AD. We created a similar one here to contain the "controlled" members of the group. We then check the controlled members against the members to determine if the person should be in the group or not. We then add or remove in order to get the list back to its controlled values.

Here is a microsoft document on linked and non-linked attributes. https://social.technet.microsoft.com/wiki/contents/articles/31919.active-directory-non-linked-multi-valued-attribute-size-limits.aspx

Also, the values are DNs in the custom attribute, just like members.

0

Hello Mark,

Thank you for the provided details. In this case, you will need to perform a search in the values of the required attribute. It can be done using the below script. In the script, the $attributeName variable specified the LDAP name of the attribute to search in.

$attributeName = "MyDNAttribute" # TODO: modify me

# Search parameters
$firstGroup = $Context.BindToObjectByDN("%distinguishedName%")
$firstGroup.SearchFilter = "(objectClass=*)"
$firstGroup.SearchScope = "ADS_SCOPE_BASE"
$firstGroup.PageSize = 500
$firstGroup.AttributeScopeQuery = $attributeName

try
{
    # Execute search
    $searchIterator = $firstGroup.ExecuteSearch()
    $searchResults = $searchIterator.FetchAll()
}
finally
{
    # Release resources
    if ($searchIterator){ $searchIterator.Dispose() }
}

Related questions

0 votes
1 answer

We have a business rule that will update an AD attribute when a new member is added to a group. This business rule works when we use powershell commands or the admin console ... set to trigger "After adding a member to a group". Thank you for your support!

asked Mar 29, 2023 by mark.it.admin (2.3k points)
0 votes
1 answer

Code is below. But the subject says it all. When I run the command targeted in this function via the Adaxes GUI or the web interface, it runs without issue. When run using this ... = $null } } end { $admNS = $admService = $credUser = $credPwd = $null } }

asked Apr 3 by jrtolle (20 points)
0 votes
1 answer

Hello, I'm trying to execute a custom command through a Powershell script, but I'm struggling to pass multiple values to an AD Object Picker parameter. ... , $NULL, $NULL, 0) $obj.ExecuteCustomCommand($command.CommandID, $commandArguments) Thanks in advance!

asked Nov 24, 2021 by KelseaIT (320 points)
0 votes
1 answer

I had a business rules that had a PowerShell script to update User properties in a SQL table. It was working fine. I moved the PowerShell to a custom command so I could ... in the custom command does get the values for the User object. Am I missing something?

asked Jun 2, 2014 by sdavidson (730 points)
0 votes
1 answer

Hi again : ) I would like to restrict adding members to specific groups only via Custom Command / Executed via PowerShell. Why? We need information from Helpdesk like Ticket ID ... me know if you need more clarification and I am happy to share details. Thanks!

asked May 21 by wintec01 (1.5k points)
3,589 questions
3,278 answers
8,303 comments
548,153 users