For the get-all-groups, I don't doubt it's a domain limitation. But it should never hit that limitation if it's asking the domain for a single group.
Unless the algorithm behind Get-VIAccount simply asks the domain for all-groups in ALL cases, and THEN tries to process/search for the group name within that list, instead of creating an LDAP query and letting the domain server process the search.
As for masks, if what I've described about its behavior is accurate, then it doesn't matter whether you wildcard or not as it doesn't apply that mask filter until after it gets the list of all groups (or what it believes is all groups). Thus for large domains where it caps that, if the string falls outside that first part of the alphabet, then it won't be included, if it falls inside that subset, it will be included. It just depends on how large the subset of all groups the algorithm receives to process.
After I wrote that paragraph, I decided to test that assumption. Created 5 groups 'AAA_TEST_GROUP[1,2,3,4,5]' and 5 groups 'XXX_TEST_GROUP[1,2,3,4,5]'
Sure enough:
> $xxxGroups = Get-VIAccount -Domain "DOMAIN" -Id "XXX_*" -Group> $xxxGroups.Count
[0]> $aaaGroups = Get-VIAccount -Domain "DOMAIN" -Id "AAA_*" -Group> $aaaGroups.Count
5
Now I'm pretty new to PowerCLI and even PowerShell itself, so I could be mistaken, but the more I play around with it, the more it seems that the PowerCLI process simply asks the domain for all groups and then tries to filter on them itself. To me, if this is accurate, it is a very bad method of fetching LDAP/Domain groups. Let the LDAP server process the search query - it's what it's designed to do.
If there is another method or a workaround to applying VM role/permissions to a group, I would appreciate any guidance.
Thank you.