How to avoid Get-ADGroupMember : The size limit for this request was exceeded

PowerShell Help
1

Hi
When reactivating a users account I also want to add these users back in the securitygroups they where member off.

I’ve got this code

 $inputstring = "Domain Users";"SyncedToAzure";"Intune-Users";"github-active-users";"XC-UK-TOR02-N1-DSG-CHENNAI";"All-Region-Users";"OfficeM365License-Users";"STANDARD DSEvolve Core Users";"SyncedToUnily"
$check = $inputstring.split(";")
$check
    foreach ($adgroup in $check) {
        $samaccountname = "Samaccountname" #to be replaced by samaccountname  
        $members = Get-ADGroupMember -Identity $adgroup -Recursive | Select-Object -ExpandProperty SamAccountName

        If (!($members -contains $SamAccountName)) {
            Add-ADGroupMember -Identity $adgroup -Members $SamAccountName
            Write-Host "$SamAccountName added to $adgroup"
        } Else {
                write-host "$SamAccountName already exists in $adgroup"
        }
    }

thanks for your suggestions as always

Paul

2

???

Is there a particular reason why you’re using such weird way of creating an array? Why not using an array in the first place? … something like this:

$ADGroupList = 
'Domain Users',
'SyncedToAzure',
....,
'STANDARD DSEvolve Core Users',
'SyncedToUnily'

foreach ($adgroup in $ADGroupList) {

But actually you don’t need a loop at all …

Add-ADPrincipalGroupMembership -Identity $samaccountname -MemberOf $ADGroupList
3

Hi Olaf,
During the offboarding of the user the security groups are dumped into the info field under the Telephony tab.
When I need to reactivate the user I grab everything that is under the info field and add the user back to these security groups. but now get stuck with the size limitation

hope this makes more sense.

4

OK, that explains why you’re using this approach to create an array.

But if the user was member of these groups the offboarding why not adding the user to all of them at once with “Add-ADPrincipalGroupMembership”? :man_shrugging:t3:

5

Olaf,
the answer to that is simple I’ve been searching in the past to find a solution and I found the above script that suited my needs. And I just wanted to reuse this script when reactivating a user. But when I have to re-activate a couple of users I get into trouble with the max size exceeded
Best regards

6

OK. That wasn’t actually meant as a question you should answer. :smirk:

Please try using “Add-ADPrincipalGroupMembership ” instead of the code you’ve found and check if that solves your issue!!! :man_shrugging:t3:

7

hI Olaf this works only thing is that I now need to find a way to exclude items from the array like “domain users” and “STANDARD DSEvolve Core Users”
Paul

8

How about a simple Where-Object for the array with the groups? :man_shrugging:t3:

1 Like
9

another thing I’m curious about is when I encounter a group to which I don’t have sufficient rights like the Standard Dsevolve" group this causes to break the process and in my original approach I just got the error message “insufficient rights” and the script continues.

10

So you should run the task with an account with sufficient rights. Otherwise you actually couldn’t copmplete the task properly.

11

I have already a high level of rights because of the on and offboarding but for Domain users and the DEsolve I don’t get sufficient permission to handle this because I would need Domain admin rights and my payslip is not supporting that level of access :slight_smile:

12

I actually don’t know what this is … but …

… this is wrong. You just need sufficient rights on the object.

1 Like