tl;dr; How to overcome the System.DirectoryServices.DirectoryEntry size limitation of 1500 members when modifying an AD group?
In the past I made a powershell script that basically scans (now more than) 50 AD locations for members, and add them all to a common group. Full documentation and source available here: http://fsteff.blogspot.co.uk/2015/10/adldap-user-directories-setup-in.html
I use the following object to hold all the members of the group:
$oGroup = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList "$LDAP/$GroupDN", $sUser, $sPass
and use the following two commands to first add new members, and then remove expired members:
$oGroup.Invoke("add", "$LDAP/$userDN")
$oGroup.Invoke("remove","$LDAP/$Member")
When the search is complete, I commit the change to AD using:
$oGroup.CommitChanges()
$oGroup.RefreshCache()
$oGroup.Close()
This is all working fine, with the exception that I've now found out that System.DirectoryServices.DirectoryEntry has a size limitation which truncates the size to 1500 members.
I've been searching online, and have found several options to overcome the size limitation when reading the group, using various ways of chunking the date. However now of those can be used in this situation, as I need to create and commit to AD a group with more than 1500 members.
Advice or pointers for a solution is highly appreciated.
Note1: Yes I could swap the order of 'add' and 'remove', to perhaps save some entries, but I'm missing hundredths of members, so it wouldn't suffice.)
