Working with local Windows groups using the CIM cmdlets

Hello everyone,

I’m working on a collection of scripts to check and update the members of local groups across a range of servers following Richard’s excellent example available on the Hey, Scripting Guy! blog. Everything is fine save for the fact that each of the commands takes forever to run. I’ve tried the following on a number of 2012 R2 and 8.1 workstations on the domain:

$group = Get-CimInstance -ClassName Win32_Group  -Filter "Name = 'Administrators'"
Get-CimAssociatedInstance -InputObject $group -ResultClassName Win32_UserAccount | select -ExpandProperty Caption

All of the machines are of a decent specification and connected directly to the LAN but regardless of which one I choose Measure-Command reports an average run time of around 20 minutes. It’s the same whether I go for the CIM approach, the WMI approach or the AccountManagement class approach.

Can anyone suggest what I might be doing wrong?

Many thanks in advance.


Have you checked to see if it’s actually enumerating from the domain as well?

I ask because in most situations, querying Win32_UserAccount will get you the domain user list as well, which will obviously take a lot longer. That’s built into how the class works in the WMI repository, so how you access it - DCOM, CIM, whatever - wouldn’t matter. Note the docs for Win32_UserAccount, which say, “Note Because both the Name and Domain are key properties, enumerating Win32_UserAccount on a large network can negatively affect performance. Calling GetObject or querying for a specific instance has less impact.” Win32_Group is similar.

I tend to stick with the old-school WinNT:\ ADSI provider when I want to work with local groups, although it’s definitely more work since there’s nothing as convenient as an association class. There’s certainly other approaches others might suggest, but since I have so much history in VBScript, that’s what I tend to do.

Have you checked to see if it’s actually enumerating from the domain as well?

I have not, no, but that’d make perfect sense as our AD is enormous (terrifyingly so). I’ll look over the Win32_UserAccount documentation as you recommend and take a look at the ADSI provider. Having never used VBScript that syntax always looks a little … daunting. =)

Thanks for the lightning fast response.