Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADGroup: fails with error 8227 Exceeded groups or group members limit #679

Open
doherty100 opened this issue Apr 15, 2022 · 4 comments
Open

ADGroup: fails with error 8227 Exceeded groups or group members limit #679

doherty100 opened this issue Apr 15, 2022 · 4 comments
Labels
enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.

Comments

@doherty100
Copy link

Details of the scenario you tried and the problem that is occurring

ADGroup fails with error 8227 Exceeded groups or group members limit. According to the answer to Get-ADGroupMember : The size limit for this request was exceeded, ADWS has a MaxGroupOrMemberEntries setting which is set to 5000 by default.

Suggested solution to the issue

The group I am attempting to modify has more than 5000 members. The ask would be to implement large result set paging in ADGroup to avoid this limit. I cannot ask the team managing AD DS to change this ADWS limit as it might have unintended consequences without extensive testing which we do not have resources for.

Verbose logs showing the problem

{
    "Exception": {
        "Message": "The PowerShell DSC resource \u0027[ADGroup]Defender\u0027 with SourceInfo \u0027::49::9::ADGroup\u0027 threw one or more non-terminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.",
        "Data": {},
        "InnerException": {
            "ErrorCode": 8227,
            "ServerErrorMessage": "Exceeded groups or group members limit.",
            "Message": "The size limit for this request was exceeded",
            "Data": "System.Collections.ListDictionaryInternal",
            "InnerException": "System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault]: Exceeded groups or group members limit. (Fault Detail is equal to schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault).",
            "TargetSite": "Void ThrowExceptionForErrorCode(System.String, System.String, System.String, System.Exception)",
            "StackTrace": "   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, Boolean recursive)\r\n   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSRoutine()\r\n   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()",
            "HelpLink": null,
            "Source": "Microsoft.ActiveDirectory.Management",
            "HResult": -2146233088
        },
        "TargetSite": null,
        "StackTrace": null,
        "HelpLink": null,
        "Source": null,
        "HResult": -2146233079
    },
    "TargetObject": null,
    "CategoryInfo": {
        "Category": 7,
        "Activity": "",
        "Reason": "InvalidOperationException",
        "TargetName": "",
        "TargetType": ""
    },
    "FullyQualifiedErrorId": "NonTerminatingErrorFromProvider",
    "ErrorDetails": null,
    "InvocationInfo": null,
    "ScriptStackTrace": null,
    "PipelineIterationInfo": []
}

The DSC configuration that is used to reproduce the issue (as detailed as possible)

configuration AppServerConfigProd {
    param (
        [Parameter(Mandatory = $true)]
        [String]$ComputerName
    )

    Import-DscResource -ModuleName 'PSDscResources'
    Import-DscResource -ModuleName 'xDSCDomainjoin'
    Import-DscResource -ModuleName 'ActiveDirectoryDsc'
    
    $domain = Get-AutomationVariable -Name 'adds_domain_name'
    $ou = Get-AutomationVariable -Name 'adds_ou'
    $domainAdminCredential = Get-AutomationPSCredential 'adds_credentials'
 
    node $ComputerName {
        xDSCDomainjoin 'JoinDomain' {
            Domain = $domain
            Credential = $domainAdminCredential
            JoinOU = $ou
        }

        WindowsFeature 'RSAT-AD-PowerShell' {
            Name = 'RSAT-AD-PowerShell'
            Ensure = 'Present'
            DependsOn = '[xDSCDomainjoin]JoinDomain'            
        }

        ADGroup 'Defender' {
            GroupName = 'Windows-Defender'
            Path = 'OU=System Center,OU=Shared Services,DC=somecompany,DC=com'
            GroupScope = 'Universal'
            Category = 'Security'
            MembersToInclude = "$ComputerName$"
            Credential = $domainAdminCredential
            Ensure = 'Present'
            DependsOn = '[WindowsFeature]RSAT-AD-PowerShell'            
        }
    }
}

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

PSVersion 5.1.17763.2803
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.2803
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used

6.0.1
@johlju johlju changed the title ADGroup fails with error 8227 Exceeded groups or group members limit ADGroup: fails with error 8227 Exceeded groups or group members limit Apr 20, 2022
@johlju johlju added enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community. labels Apr 20, 2022
@johlju
Copy link
Member

johlju commented Apr 20, 2022

...implement large result set paging in ADGroup to avoid this limit.

Any suggestions how to accomplish this paging with Get-ADGroup?

@doherty100
Copy link
Author

doherty100 commented Apr 22, 2022
edited
Loading

The code would need to go get members in batches 5000 security principals at a time. As each batch of 5000 is retrieved, it would be checked to see if any of the princpals in "MembersToInclude" are already members. Once all result sets have been processed, only the remaining security principals that were not found would be added. This is the classic problem of processing results of indeterminate size.

@TorstenSchnitter
Copy link

TorstenSchnitter commented May 25, 2022
edited
Loading

You can change the size limit for the ADWS Service. This solved same problem with group member limit for me.
On all domain controller got to: c:\windows\ADWS
Edit file: Microsoft.ActiveDirectory.WebServices.exe.config
Add within section :
< add key="MaxGroupOrMemberEntries" value="5000" / >
(change number 5000 fitting to your needs)

see this link for detailed information:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd391908(v=ws.10)?redirectedfrom=MSDN

@doherty100
Copy link
Author

You can change the size limit for the ADWS Service. This solved same problem with group member limit for me. On all domain controller got to: c:\windows\ADWS Edit file: Microsoft.ActiveDirectory.WebServices.exe.config Add within section : < add key="MaxGroupOrMemberEntries" value="5000" / > (change number 5000 fitting to your needs)

see this link for detailed information: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd391908(v=ws.10)?redirectedfrom=MSDN

@TorstenSchnitter yes you can change the ADWS settings, however many large orgs are loathe to make such changes to avoid unforeseen issues or problems. Result set paging is a common approach for developers, and I still believe that is the right solution to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@doherty100 @johlju @TorstenSchnitter