There’re times when things don’t go your way. Recently I’ve had a migration where both the old and the new company drives were active. Since we use AGLP, each folder has at least double the amounts of groups. Considering that the old company drive is also active, double that amount and you’ll have yourself a issue where users are unable to log on. The max token size is limited to a maximum of 1015 group memberships. This includes the nested groups. Since I wanted to know how big this problem was I decided to create a script that outputs this data to a file. All you have to do is enter the distinguished name of the OU you want to do a search in or remove the searchbase parameter completely to run it for all users.

Ipmo ActiveDirectory
$List = Get-ADUser -SearchBase "OU=OUName,DC=DOMAIN,DC=LOCAL" -Filter * -Properties MemberOf
$List2 = @()
$Path = ".\GroupMembershipsPerUser.csv"
ForEach ($Item in $list)
	{
	$Result = @()
	ForEach ($Group in $Item.MemberOf)
		{
		$Result += $Group
		$GroupResult =@(Get-ADGroup $Group -Properties Memberof).Memberof
		$Result += $GroupResult
		$Temp = $GroupResult
		While ($Temp -ne $Null)
			{
			$Temp = @()
			Foreach ($Object in $Groupresult)
				{
				$Objectresult =@(Get-ADGroup $Object -Properties Memberof).Memberof
				If ($Objectresult -ne $Null)
					{
					$Temp += $Objectresult
					$Result += $ObjectResult
					}
				}
			If ($Temp.count -ne 0){$Groupresult = $Temp}
			}
		}
	$Result = $Result | Select -Unique
	$List2 += $Item.SAMAccountName	+ ";" + $Result.count
	Write-host $item.Name heeft $Result.count groepen -f Yellow -b DarkCyan
	}	
AC -Path $Path -Value "Username;Groups"
ForEach($Item in $List2)
		{
		AC -Path $Path -Value $Item
		}