ADGroup: fails with error 8227 `Exceeded groups or group members limit`

[doherty100]

Details of the scenario you tried and the problem that is occurring

ADGroup fails with error 8227 Exceeded groups or group members limit. According to the answer to Get-ADGroupMember : The size limit for this request was exceeded, ADWS has a MaxGroupOrMemberEntries setting which is set to 5000 by default.

Suggested solution to the issue

The group I am attempting to modify has more than 5000 members. The ask would be to implement large result set paging in ADGroup to avoid this limit. I cannot ask the team managing AD DS to change this ADWS limit as it might have unintended consequences without extensive testing which we do not have resources for.

Verbose logs showing the problem

{
    "Exception": {
        "Message": "The PowerShell DSC resource \u0027[ADGroup]Defender\u0027 with SourceInfo \u0027::49::9::ADGroup\u0027 threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.",
        "Data": {},
        "InnerException": {
            "ErrorCode": 8227,
            "ServerErrorMessage": "Exceeded groups or group members limit.",
            "Message": "The size limit for this request was exceeded",
            "Data": "System.Collections.ListDictionaryInternal",
            "InnerException": "System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault]: Exceeded groups or group members limit. (Fault Detail is equal to schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault).",
            "TargetSite": "Void ThrowExceptionForErrorCode(System.String, System.String, System.String, System.Exception)",
            "StackTrace": "   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, Boolean recursive)\r\n   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSRoutine()\r\n   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()",
            "HelpLink": null,
            "Source": "Microsoft.ActiveDirectory.Management",
            "HResult": -2146233088
        },
        "TargetSite": null,
        "StackTrace": null,
        "HelpLink": null,
        "Source": null,
        "HResult": -2146233079
    },
    "TargetObject": null,
    "CategoryInfo": {
        "Category": 7,
        "Activity": "",
        "Reason": "InvalidOperationException",
        "TargetName": "",
        "TargetType": ""
    },
    "FullyQualifiedErrorId": "NonTerminatingErrorFromProvider",
    "ErrorDetails": null,
    "InvocationInfo": null,
    "ScriptStackTrace": null,
    "PipelineIterationInfo": []
}

The DSC configuration that is used to reproduce the issue (as detailed as possible)

configuration AppServerConfigProd {
    param (
        [Parameter(Mandatory = $true)]
        [String]$ComputerName
    )

    Import-DscResource -ModuleName 'PSDscResources'
    Import-DscResource -ModuleName 'xDSCDomainjoin'
    Import-DscResource -ModuleName 'ActiveDirectoryDsc'
    
    $domain = Get-AutomationVariable -Name 'adds_domain_name'
    $ou = Get-AutomationVariable -Name 'adds_ou'
    $domainAdminCredential = Get-AutomationPSCredential 'adds_credentials'
 
    node $ComputerName {
        xDSCDomainjoin 'JoinDomain' {
            Domain = $domain
            Credential = $domainAdminCredential
            JoinOU = $ou
        }

        WindowsFeature 'RSAT-AD-PowerShell' {
            Name = 'RSAT-AD-PowerShell'
            Ensure = 'Present'
            DependsOn = '[xDSCDomainjoin]JoinDomain'            
        }

        ADGroup 'Defender' {
            GroupName = 'Windows-Defender'
            Path = 'OU=System Center,OU=Shared Services,DC=somecompany,DC=com'
            GroupScope = 'Universal'
            Category = 'Security'
            MembersToInclude = "$ComputerName$"
            Credential = $domainAdminCredential
            Ensure = 'Present'
            DependsOn = '[WindowsFeature]RSAT-AD-PowerShell'            
        }
    }
}

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

PSVersion 5.1.17763.2803
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.2803
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used

6.0.1

[johlju]

...implement large result set paging in ADGroup to avoid this limit.

Any suggestions how to accomplish this paging with Get-ADGroup?

[doherty100]

The code would need to go get members in batches 5000 security principals at a time. As each batch of 5000 is retrieved, it would be checked to see if any of the princpals in "MembersToInclude" are already members. Once all result sets have been processed, only the remaining security principals that were not found would be added. This is the classic problem of processing results of indeterminate size.

[TorstenSchnitter]

You can change the size limit for the ADWS Service. This solved same problem with group member limit for me.
On all domain controller got to: c:\windows\ADWS
Edit file: Microsoft.ActiveDirectory.WebServices.exe.config
Add within section :
< add key="MaxGroupOrMemberEntries" value="5000" / >
(change number 5000 fitting to your needs)

see this link for detailed information:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd391908(v=ws.10)?redirectedfrom=MSDN

[doherty100]

You can change the size limit for the ADWS Service. This solved same problem with group member limit for me. On all domain controller got to: c:\windows\ADWS Edit file: Microsoft.ActiveDirectory.WebServices.exe.config Add within section : < add key="MaxGroupOrMemberEntries" value="5000" / > (change number 5000 fitting to your needs)

see this link for detailed information: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd391908(v=ws.10)?redirectedfrom=MSDN

@TorstenSchnitter yes you can change the ADWS settings, however many large orgs are loathe to make such changes to avoid unforeseen issues or problems. Result set paging is a common approach for developers, and I still believe that is the right solution to this issue.