Find empty groups in Active Directory using PowerShell

7

Hello All,

Today we will find empty groups in Active Directory using Powershell. You all may know that we as System Administrators are required to create groups in the Active Directory for all sorts of purposes and reasons.

If you are interested in understanding the basics of Active Directory groups, head over here.

But over time, do people who request for these groups really utilise them?

It is bound to happen that your domain will be filled with groups that have no members inside them because of various reasons. The person who requested for the group is no longer in the organization or group was created only for the testing purposes and you have not deleted them after the specified time.

So we will finding out the empty groups with Powershell today, and trust me you will love how fast and easy it is. Imagine you had to check every group for its members manually? You would want to leave your job immediately 😛

So we have Powershell to our rescue. 😉

Import-Module activedirectory
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name | Export-Csv C:\emptygroups.csv –NoTypeInformation

The above two lines of code will produce all the empty groups in your domain and export it to a csv file.

Let us see what we are doing here.

We first import the Active Directory Module into the Powershell console so that we can use AD related cmdlets.

Next with the help of the Get-ADGroup cmdlet we are querying all the groups in the domain using the Filter parameter as any. We pipe that output to where-object and select the groups which has no members.

Finally we pipe that to the Export-Csv cmdlet to see nicely in the csv file.

We could select a lot more properties and output to the csv file by passing the Get-ADgroup cmdlet to Get-Member and finding the available properties associated with it!

Get-ADGroup 'Finance Team' | Get-Member

Find empty groups in Active Directory using PowerShell

If you are working multi domain environment, then you can the below line to check empty groups in a different domain.

Get-ADGroup -Filter * -Properties Members –server DomainName:3268 | where {-not $_.members} | select Name | Export-Csv C:\emptygroups.csv –NoTypeInformation

We are using port 3268 for accessing the information. You can find more information about the port usage here.

I hope this was informative and thank you for reading!

Share.

About Author

I am Adil Arif, working as a Senior Technical Support Engineer at Rubrik as well as an independent blogger and founder of Enterprise Daddy. In my current role, I am supporting infrastructure related to Windows and VMware datacenters.

7 Comments

  1. Hi Adil,
    This was very helpful for me. I’m very new and would like to see how I modify this command to find groups void of both user and computer objects via attribute “primarygroupid = 513” and “primarygroupid = 515”. So that the only groups returned are truly empty.
    Thank you!

Leave A Reply