Get-ADGroupMember - Timeout limit was exceeded
The Get-ADGroupMember cmdlet returns the members of an Active Directory group. Members can be users, other groups or computers.
It is an handy tool to quickly check if a user has been already been made member of a specific group like for example:
# Get all members of the Dl-GroupSame Get-ADGroupMember -Identity DL-GroupSample distinguishedName : CN=Domain Admins,CN=Users,DC=Lab,DC=com name : Domain Admins objectClass : group objectGUID : 5ccc6037-c2c9-42be-8e92-c8f98afd0011 SamAccountName : Domain Admins SID : S-1-5-21-41432690-3719764436-1984117282-512 distinguishedName : CN=Enterprise Admins,CN=Users,DC=Lab,DC=com name : Enterprise Admins objectClass : group objectGUID : 0215b0a5-aea1-40da-b598-720efe930ddf SamAccountName : Enterprise Admins SID : S-1-5-21-41432690-3719764436-1984117282-302 distinguishedName : CN=LabAdmin,CN=Users,DC=Lab,DC=com name : LabAdmin objectClass : user objectGUID : ab7c269d-aec5-4fcc-aebe-6cd1a2e6cd53 SamAccountName : LabAdmin SID : S-1-5-21-41432690-3719764436-1984117282-1015 <snip>
Issue is when working with large groups with lot of members Domain Controller will cut off the operation the following error will be displayed
Get-ADGroupMember : The operation returned because the timeout limit was exceeded. At line:1 char:1 + Get-ADGroupMember DL-LargeGroup + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationTimeout: (DL-LargeGroup:ADGroup) [Get-ADGroupMember], TimeoutException + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.TimeoutException,Microsoft.ActiveDirectory.Management.Comma nds.GetADGroupMember
There are multiple solutions to this which is a by design behavior and not some obscure error message.
Solution 1 - Modify Maximum Number of Return Objects
As I said the above error message is a by design feature, more specifically one imposed by Active Directory Web Service (ADWS) used by Active Directory module to query AD.
Limit is defined in the c:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config configuration file stored on each domain controller.
Default limit for returned objects is set to 5000 but this can be changed under the **
<add key=”MaxGroupOrMemberEntries” value=”25000”/>
The above will raise the limit of returned objects to 25000.
Note on updating WebServices.exe.config file: Changing the setting can negatively affect performances of the domain controller. Also note file need to be updated on each domain controller separately.
Solution 2 - Get-ADGroup Cmdlet
Modifying inner Active Directory configuration files is not always a good idea and sometimes not possible at all, for example where I work such a change is not permitted, for this reason I usually workaround the problem not using the Get-ADGroupMember cmdlet at all.
The following command will return DNs of all users member of any given group:
Get-ADGroup -Identity 'DL-LargeGroup' -Properties Member | Select-Object -Property 'Member' -ExpandProperty 'Member'
Output of the above command can be assigned to a variable and easily manipulated.
This approach has two advantages.
1. Modification to Active Directory built-in limits is not required
2. Command runs extremely fast, for example on a group with over 14k members it took 3 seconds in my environment.