Different ways of getting AD group members

I will show you, in the scripts below, different ways of getting Active Directorw group members with Powershell.

Scripts
ADSI method
$root=([ADSI]"").distinguishedName
$Group = [ADSI]("LDAP://CN=Domain Admins, CN=Users,"+ $root)
$Group.member
Get-ADGroupMember cmdlet
$root = (get-ADDomain).Distinguishedname 
$group = "CN=Domain Admins, CN=Users,"+$root
(Get-ADGroupMember $group).distinguishedname
Get-ADObject cmdlet
$root = (get-adobject -filter 'ObjectClass -eq "domain"').Distinguishedname
$group = "CN=Domain Admins, CN=Users,"+$root
(Get-ADObject $group -properties member).member
Performance

We can now compare the performance for each script with the Powershell cmdlet measure-command :

ADSI method
measure-command {
$root=([ADSI]"").distinguishedName
}

Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 180
Ticks : 1805352
TotalDays : 2.08952777777778E-06
TotalHours : 5.01486666666667E-05
TotalMinutes : 0.00300892
TotalSeconds : 0.1805352
TotalMilliseconds : 180.5352

$group ="cn=Domain Admins, cn=Users,"+$root

measure-command {
([ADSI]("LDAP://$group")).Member
}

Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 8
Ticks : 83849
TotalDays : 9.70474537037037E-08
TotalHours : 2.32913888888889E-06
TotalMinutes : 0.000139748333333333
TotalSeconds : 0.0083849
TotalMilliseconds : 8.3849
Get-ADGroupMember cmdlet
measure-command {
$root = (get-addomain).distinguishedname
}

Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 626
Ticks : 6261733
TotalDays : 7.24737615740741E-06
TotalHours : 0.000173937027777778
TotalMinutes : 0.0104362216666667
TotalSeconds : 0.6261733
TotalMilliseconds : 626.1733

$group ="cn=Domain Admins, cn=Users,"+$root

measure-command {
(get-adgroupmember $group).distinguishedname
}

Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 90
Ticks : 906594
TotalDays : 1.04929861111111E-06
TotalHours : 2.51831666666667E-05
TotalMinutes : 0.00151099
TotalSeconds : 0.0906594
TotalMilliseconds : 90.6594
Get-ADObject cmdlet
measure-command {
$root = (get-adobject -Filter 'ObjectClass -eq "domain"').distinguishedname
}

Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 512
Ticks : 5127014
TotalDays : 5.93404398148148E-06
TotalHours : 0.000142417055555556
TotalMinutes : 0.00854502333333333
TotalSeconds : 0.5127014
TotalMilliseconds : 512.7014

$group ="cn=Domain Admins, cn=Users,"+$root

measure-command {
(get-adobject $group -properties member).member
}

Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 10
Ticks : 103133
TotalDays : 1.19366898148148E-07
TotalHours : 2.86480555555556E-06
TotalMinutes : 0.000171888333333333
TotalSeconds : 0.0103133
TotalMilliseconds : 10.3133

The main difference between AD cmdlets and ADSI method is the loading of the Active Directory Powershell module. We can also measure the performance for it:

measure-command { import-module activedirectory }

Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 583
Ticks : 5832663
TotalDays : 6.75076736111111E-06
TotalHours : 0.000162018416666667
TotalMinutes : 0.009721105
TotalSeconds : 0.5832663
TotalMilliseconds : 583.2663

This loading time can be excluded from the previous results : the AD cmdlets are more efficient than the ADSI method. We can also optimize the loading of the Active Directory module by specifying only the needed cmdlets:

Measure-Command { import-module activedirectory -Cmdlet get-adobject }

Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 461
Ticks : 4610897
TotalDays : 5.33668634259259E-06
TotalHours : 0.000128080472222222
TotalMinutes : 0.00768482833333333
TotalSeconds : 0.4610897
TotalMilliseconds : 461.0897
Measure-Command {import-module activedirectory -Cmdlet get-addomain,get-adgroupmember}

Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 496
Ticks : 4962023
TotalDays : 5.74308217592593E-06
TotalHours : 0.000137833972222222
TotalMinutes : 0.00827003833333333
TotalSeconds : 0.4962023
TotalMilliseconds : 496.2023

The results are quite explicit…

<>

References

Active Directory Service Interfaces
Active Directory Service Interfaces (ADSI) is a set of COM interfaces used to access the features of directory services from different network providers. ADSI is used in a distributed computing environment to present a single set of directory service interfaces for managing network resources. Administrators and developers can use ADSI services to enumerate and manage the resources in a directory service, no matter which network environment contains the resource.
ADSI enables common administrative tasks, such as adding new users, managing printers, and locating resources in a distributed computing environment.

ADSI Edit (adsiedit.msc)
Active Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema.

Different ways of getting AD group members

Leave a Reply

Your email address will not be published. Required fields are marked *