The world's most trusted forum on Active Directory Security
We need to produce a list of all domain security groups in all three of our Active Directory domains that contain more than 500 members. We have been asked to do so as a part of our internal Windows Security audit processes.
I am wanting to know if there is a way to easily produce this list? Ideally I would like it to be in CSV format so that we can easily copy and paste the data in our report.
I know how to use dsget and dsquery etc to obtain group memberships but how to get a report that shows the count of members in these groups I don't know.
Thank you for your help in this regard.
I'm not sure I understand. If you have group membership, why is it difficult to get its count? Also, did you mean 500 members or 1500 members?
I ask because I believe it is not straight-forward to query for group memberships that contain more than 1500 users. I believe you have to have the queries loop when trying to do this.
If you can provide more details, it would be helpful.
I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.
I'm sorry. You're right, I meant 1500, not 500.
Can you please suggest me some way of easily obtaining and documenting the list of all members of my Active Direcory security groups?
Like I indicated, some of them have more than 1500 members.
Take a look at this tool.
Its an automated group membership reporter that can enumerate the complete membership of any Active Directory group, including any nested members, and it works equally well or groups with fewer than as well as more than 1500 members.
It also has the ability to export to a CSV file and output membership to a PDF file.