I will show you, in the scripts below, different ways of getting Active Directorw group members with Powershell.
Scripts
ADSI method
$root=([ADSI]"").distinguishedName $Group = [ADSI]("LDAP://CN=Domain Admins, CN=Users,"+ $root) $Group.member
Get-ADGroupMember cmdlet
$root = (get-ADDomain).Distinguishedname $group = "CN=Domain Admins, CN=Users,"+$root (Get-ADGroupMember $group).distinguishedname
Get-ADObject cmdlet
$root = (get-adobject -filter 'ObjectClass -eq "domain"').Distinguishedname $group = "CN=Domain Admins, CN=Users,"+$root (Get-ADObject $group -properties member).member
Performance
We can now compare the performance for each script with the Powershell cmdlet measure-command :
ADSI method
measure-command { $root=([ADSI]"").distinguishedName } Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 180 Ticks : 1805352 TotalDays : 2.08952777777778E-06 TotalHours : 5.01486666666667E-05 TotalMinutes : 0.00300892 TotalSeconds : 0.1805352 TotalMilliseconds : 180.5352 $group ="cn=Domain Admins, cn=Users,"+$root measure-command { ([ADSI]("LDAP://$group")).Member } Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 8 Ticks : 83849 TotalDays : 9.70474537037037E-08 TotalHours : 2.32913888888889E-06 TotalMinutes : 0.000139748333333333 TotalSeconds : 0.0083849 TotalMilliseconds : 8.3849
Get-ADGroupMember cmdlet
measure-command { $root = (get-addomain).distinguishedname } Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 626 Ticks : 6261733 TotalDays : 7.24737615740741E-06 TotalHours : 0.000173937027777778 TotalMinutes : 0.0104362216666667 TotalSeconds : 0.6261733 TotalMilliseconds : 626.1733 $group ="cn=Domain Admins, cn=Users,"+$root measure-command { (get-adgroupmember $group).distinguishedname } Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 90 Ticks : 906594 TotalDays : 1.04929861111111E-06 TotalHours : 2.51831666666667E-05 TotalMinutes : 0.00151099 TotalSeconds : 0.0906594 TotalMilliseconds : 90.6594
Get-ADObject cmdlet
measure-command { $root = (get-adobject -Filter 'ObjectClass -eq "domain"').distinguishedname } Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 512 Ticks : 5127014 TotalDays : 5.93404398148148E-06 TotalHours : 0.000142417055555556 TotalMinutes : 0.00854502333333333 TotalSeconds : 0.5127014 TotalMilliseconds : 512.7014 $group ="cn=Domain Admins, cn=Users,"+$root measure-command { (get-adobject $group -properties member).member } Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 10 Ticks : 103133 TotalDays : 1.19366898148148E-07 TotalHours : 2.86480555555556E-06 TotalMinutes : 0.000171888333333333 TotalSeconds : 0.0103133 TotalMilliseconds : 10.3133
The main difference between AD cmdlets and ADSI method is the loading of the Active Directory Powershell module. We can also measure the performance for it:
measure-command { import-module activedirectory } Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 583 Ticks : 5832663 TotalDays : 6.75076736111111E-06 TotalHours : 0.000162018416666667 TotalMinutes : 0.009721105 TotalSeconds : 0.5832663 TotalMilliseconds : 583.2663
This loading time can be excluded from the previous results : the AD cmdlets are more efficient than the ADSI method. We can also optimize the loading of the Active Directory module by specifying only the needed cmdlets:
Measure-Command { import-module activedirectory -Cmdlet get-adobject } Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 461 Ticks : 4610897 TotalDays : 5.33668634259259E-06 TotalHours : 0.000128080472222222 TotalMinutes : 0.00768482833333333 TotalSeconds : 0.4610897 TotalMilliseconds : 461.0897
Measure-Command {import-module activedirectory -Cmdlet get-addomain,get-adgroupmember} Days : 0 Hours : 0 Minutes : 0 Seconds : 0 Milliseconds : 496 Ticks : 4962023 TotalDays : 5.74308217592593E-06 TotalHours : 0.000137833972222222 TotalMinutes : 0.00827003833333333 TotalSeconds : 0.4962023 TotalMilliseconds : 496.2023
The results are quite explicit…
References
Active Directory Service Interfaces
Active Directory Service Interfaces (ADSI) is a set of COM interfaces used to access the features of directory services from different network providers. ADSI is used in a distributed computing environment to present a single set of directory service interfaces for managing network resources. Administrators and developers can use ADSI services to enumerate and manage the resources in a directory service, no matter which network environment contains the resource.
ADSI enables common administrative tasks, such as adding new users, managing printers, and locating resources in a distributed computing environment.
ADSI Edit (adsiedit.msc)
Active Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema.