Hi There,
I'm really struggling with this Get-ADGroup / Get-ADUser command in my code. I'm getting an enumeration error after around 50,000 records, but there are around 600,000 records I need to collect!
I know that the general reason for this is that the enumeration counter expires after an amount of time, and that the solution is either to have indexes running on the AD so that the commands can run faster before the timer expires or user the DirectorySearcher tool instead.
I have tried to use the DirectorySearcher tool but I cannot get it to compile both Group and User objects.
Here is my code using the Get-AD commands:
Import-module ActiveDirectory
$Domain = 'domainname'
Get-ADGroup -Filter * -Properties * | ForEach-Object {
$Group = $_
Get-ADGroup $Group -Properties Members | Select-Object -ExpandProperty Members | Get-ADObject | ?{$_.ObjectClass -eq "user"} |
Get-ADUser -Properties * | Select-Object @{
Name = 'Domain'
Expression = { $Domain }
}, @{
Name = 'Group Name'
Expression = { $Group.Name }
}, @{
Name = 'Type'
Expression = { $Group.GroupCategory }
}, @{
Name = 'Description'
Expression = { $Group.Description }
}, @{
Name = 'Distinguished Name'
Expression = { $Group.DistinguishedName }
}, @{
Name = 'Managed By'
Expression = { $Group.ManagedBy }
}, @{
Name = 'Members'
Expression = { $_.DistinguishedName }
}, @{
Name = 'Full Name'
Expression = { $_.Name }
}, @{
Name = 'User Name'
Expression = { $_.SamAccountName }
}, @{
Name = 'Display Name'
Expression = { $_.DisplayName }
}
} | Export-Csv -delimiter "`t" -path C:\Test11.txt -ntiAnd this is the searcher code I tried to create that didn't really work, which I could get to work just looking at groups, or just users, but not both:
$Domain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = $Domain
$Searcher.PageSize = 1000
$Searcher.SearchScope = "subtree"
$Searcher.PropertiesToLoad.Add("name") > $Null
$Searcher.PropertiesToLoad.Add("groupcategory") > $Null
$Searcher.PropertiesToLoad.Add("managedby") > $Null
$Searcher.PropertiesToLoad.Add("displayname") > $Null
$Searcher.PropertiesToLoad.Add("samaccountname") > $Null
$Searcher.PropertiesToLoad.Add("description") > $Null
$Searcher.PropertiesToLoad.Add("distinguishedname") > $Null
$Searcher.PropertiesToLoad.Add("memberof") > $Null
$Searcher.PropertiesToLoad.Add("member") > $Null
$Searcher.Filter = "(objectClass=group)"
$Groups = $Searcher.FindAll()
ForEach ($Group In $Groups)
{
$GroupName = $Group.Properties.Item("name")
$GroupCategory = $Group.Properties.Item("groupcategory")
$ManagedBy = $Group.Properties.Item("managedby")
$Member = $Group.Properties.Item("member")
#$Searcher.Filter = "(&(objectClass=users)(samaccountname= $($GroupName)))"
#$Users = $Searcher.FindAll()
ForEach($User in $Member )
#ForEach ($User In $Users)
{
$Name = $User.Properties.Item("name")
$SamAccountName = $User.Properties.Item("samaccountname")
$Description = $User.Properties.Item("description")
$DistinguishedName = $User.Properties.Item("distinguishedname")
$MemberOf = $User.Properties.Item("memberof")
$DisplayName = $User.Properties.Item("displayname")
$item = @{}
$item.Domain = $Domain
$item.GroupName = $GroupName
$item.GroupCategory = $GroupCategory
$item.Description = $Description
$item.DistinguishedName = DistinguishedName
$item.MangedBy = $ManagedBy
$item.Members = $MemberOf
$item.FullName = $Name
$item.UserName = $SamAccountName
$item.DisplayName = $DisplayName
$collection += New-Object psobject -Property $item
}
}
$output = $collection | ConvertTo-Csv
$output | Export-Csv -delimiter "`t" -path C:\OO\ADTest\Test11.txt -nti Is there definitely no way my Get-AD script can work bypassing the enumeration error? As this script works perfectly up to that point. If not, can someone help me to get the DirectorySearcher working for both Users and Groups!
Thanks
EDIT: Here is the error I'm getting
Get-ADGroup : The server has returned the following error: invalid enumeration context.
At C:\Script.ps1:3 char:12+ Get-ADGroup <<<< -Filter * -Properties * | ForEach-Object {+ CategoryInfo : NotSpecified: (:) [Get-ADGroup], ADException+ FullyQualifiedErrorId : The server has returned the following error: invalid enumeration context.,Microsoft.ActiveDirectory.Management.Commands.GetADGroup