4

I would like to get all members (mail address) of a certain distribution list. Currently I just recieve the first 1500 members. My Script looks like that:

$group = [ADSI]"LDAP://CN=distListOne,OU=Groups,DC=XYZ,DC=XYZ"
$group.member.count ##Always 1500 
foreach($member in $group.member)
{
    $filter = "LDAP://"+$member
    $user = [ADSI]$filter
    $user.properties.mail | out-file "C:\distrUser.txt" -append 
}

I know that there are more than 1500 users in the distribution list. I need anyhow to extend the maximum recieved group members.

RBT
  • 24,161
  • 21
  • 159
  • 240
andreaspfr
  • 2,298
  • 5
  • 42
  • 51
  • 1
    You need to check out the `PageSize` property of the `DirectorySearcher` ([MSDN docs](http://msdn.microsoft.com/en-us/library/system.directoryservices.directorysearcher.pagesize.aspx) ) - setting that value to something (instead of leaving it 0) will start "paged searching" to allow AD to return more than 1500 members – marc_s Aug 16 '12 at 09:38
  • I do not use the DirectorySearcher. However I tried it with the DirectorySearcher. I increased the pageSize to 3000. The problem is that the members are an attribute of the DirectorySearcher Result. So I think the PageSize just refers to this and not to the attribute. – andreaspfr Aug 16 '12 at 09:49
  • **Important Info**: It is important to know the context of the list that we are trying to loop through. We might want to loop through a _list of LDAP records_ (aka DirectoryEntry) OR the value of an attribute of an LDAP record can be of list type. Looping through LDAP records is relatively trivial. But looping through values (list of key-value pairs) of an attribute of an LDAP record is tricky e.g. _memberOf_ attribute. Related Ans: [paging through DirectoryEntry records vs Range retrieval for list values of an attribute of a DirectoryEntry record](https://stackoverflow.com/a/12274460/465053) – RBT Apr 18 '23 at 03:06

3 Answers3

3

You need to change your code to use a DirectorySearcher approach, and check out the PageSize property of the DirectorySearcher

Setting that value to something (instead of leaving it 0) will start paged searching to allow AD to return more than 1500 members. It is recommended to set the PageSize to a sensible value like 500 or 1000 - if you set it too high (higher than the system limit of 1500), it will be ignored and won't work!

See some other blog posts on how to tackle this problem:

Flores
  • 8,226
  • 5
  • 49
  • 81
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
  • 1
    You're thinking of # of objects, not # of values. See my answer (that I'm about to post :)) – Eric Fleischman Aug 23 '12 at 20:44
  • Also, switching to memberOf rather than just doing ranged retrieval for member is not a good path...it has other side effects that you don't intend (doesn't work well x-domain w/o chasing referrals, security visibility issues, ...) – Eric Fleischman Sep 05 '12 at 04:08
3

When retrieving a large attribute you need to ask for the values in it in batches. This is often called "ranged retrieval" in directory speak. Nearly every well behaving MSFT LDAP API supports this, including ADSI... http://msdn.microsoft.com/en-us/library/windows/desktop/ms676302(v=vs.85).aspx

Eric Fleischman
  • 1,168
  • 6
  • 8
0

This will work quite nicely, requires the active directory module

(Get-ADGroup $Group -Properties members).members

Bill
  • 554
  • 2
  • 6
  • 15