Adding members to groups with +1500 members in PowerShell

The Windows Active Directory does not really have hard limits when it comes to group memberships. There are however soft limits.

Any ADSI or WMI query to a list of your group memberships will turn out to 1000 members in Windows 2000 mode, or 1500 in Windows 2003 native mode. Only by using ADO range limits, you can go by this soft limit.

This shouldn’t pose a problem when you are just adding members to an already big group. However, it does.

$userOU = [ADSI] "LDAP://cn=myUser,ou=Users,dc=contoso,dc=com"
$groupOU = [ADSI] "LDAP://cn=myGroup,ou=Users,dc=contoso,dc=com"
$groupOU.Member = $groupOU.Member + $userOU.distinguishedName
$groupOU.SetInfo()

Adding the myUser user to the myGroup group will work fine if the group member count is below 1500. Once above, your group will suddenly loose an amount of members until you are left with a group of just 1500 members, and then added by the new member.

What actually happens is self-explanatory when reading the code: the group members is the group member list plus the new member. When the group member list only returns 1500 members, and then you add one member, you are left with 1501 members, and not your original amount of members + 1.

A workaround is this:

$ADS_PROPERTY_APPEND = 3
$userOU = [ADSI] "LDAP://cn=myUser,ou=Users,dc=contoso,dc=com"
$groupOU = [ADSI] "LDAP://cn=myGroup,ou=Users,dc=contoso,dc=com"
$groupOU.putEx($ADS_PROPERTY_APPEND, "member", @($userOU.distinguishedname))
$groupOU.SetInfo()

In this workaround, we are going to use putEx to append a member to a group, instead of loading the full member list (with a limit of 1500) and then adding a new member.

Source.

Leave a Reply

Your email address will not be published. Required fields are marked *