Find Empty Groups in Active Directory Using PowerShell
Unused resources, such as groups with zero members, put unnecessary strain on your local AD environment. That is why IT admins should find empty groups in Active Directory and delete them from the domain.
Although we use the terms unused group and empty group interchangeably in this write-up, there are some minute differences between the two. Generally, unused groups refer to those groups that were made by admins and may even have members, but have stayed dormant since their creation/a long time.
Empty groups, on the other hand, are groups that used to serve a purpose in the AD, but changes in business requirements forced the admins to clear out all their members and make them empty.
Sometimes empty groups can still be in use, and unused groups still have members in them.
Let’s see why IT admins need to keep a record of empty groups.
Why You Must Get a List of All Unused/Memberless Groups in AD?
Empty groups are a security vulnerability; they increase the attack surface that nefarious entities could exploit. Plus, empty groups usually still retain the resource access, not monitored or used, which can be disastrous.
Moreover, memberless groups are an unnecessary administrative and management burden. Admins have to be in constant lookout to avoid adding users to the wrong group.
It is not that difficult to make an Active Directory group membership report; the real trouble is in finding the empty groups. As they can stay indivisible from the default queries, admission uses to scan for Group elements. Moreover, even when admins can list all the Group objects, it takes extra effort to split the empty ones from the rest.
Sp, let us look at the default command line utilities present in every Active Directory and how they can be used to get a list of 0 (Zero) member groups.
PowerShell Script to Find Empty AD Groups
Open a new PowerShell instance and type:
Get-ADGroup -Filter {Members -notlike "*"}
This simple cmdlet will list down all the Groups that don’t have any members in them.
If you want to color-code the information and make it more visually appealing, use the script below:
Open PowerShell ISE and save it as a .ps1 file, and run it on the console.
# Get all groups in Active Directory
$groups = Get-ADGroup -Filter *
Clear-Host
foreach ($group in $groups) {
# Get the Active Directory group membership report of the current group
$members = Get-ADGroupMember -Identity $group -ErrorAction SilentlyContinue
if ($members.Count -eq 0) {
# Empty group
Write-Host "Group: $($group.Name) has 0 members." -ForegroundColor Yellow
}
}
The Active Directory accepts LDAP queries as well, so if you want, you can get the same result using:
Get-ADGroup -Filter '!(member=*)'
PowerShell isn’t the only code-based method available in an AD. You can use the plain old command line as well.
Command Line Query to Get Unused Groups
Press Windows + R simultaneously, then type cmd
This will launch the terminal where you can type:
dsquery group -filter "(&(objectCategory=group)(!(member=*)))”
And see the list of groups with zero members in them. Then delete or proceed with whatever your organization’s protocol is.
Unfortunately, both the command line/and the PowerShell method we discussed earlier can’t provide any sort of reporting. They are locked in a view-only state. To get the list of empty groups out, you must modify the query, and some users lack the technical expertise required to perform such a change.
Don’t worry, we have just the right solution for you.
Professional Script Free Way to List 0-Member AD Groups
The SysTools Active Directory Reporting Tool gives admins exactly what they need. With dedicated filtering options and an easy GUI-based filtered search.
This tool matches the speed of cmdlets with the ease of a GUI to give a cohesive solution for finding empty groups.
To use this automated tool and get all empty groups in Active Directory, all you have to do is follow these steps:
Step 1. Type “administrator” in both the User ID and password fields to open the tool.
Step 2. Activate the tool and click on “REGISTER DOMAIN CONTROLLER”.
Step 3. Enter your custom Domain Friendly Name and AD IP address >> hit Save & Continue.
Step 4. On the Domain details page, put the domain Admin credentials and validate.
Step 5. Inside the Report tab, choose group workload and All as the subcategory(You may select the security group subcategory if you want to find empty security groups)
Step 6. Use the tool’s filtering system to change the All category and use the duration picker.
Step 7. Pick any one option of 5, 7, 10, 30, 60, 90 days, or 1 year starting from the present date. The tool even allows you to set your very own starting and ending dates.
Step 8. Click on the preview button to see the Groups.
Step 9. Use the Download Report button and select CSV.
Step 10. Download and save the empty Group report on your PC.
Best Practices to Find Empty Groups in Active Directory using PowerShell
If you still want to use PowerShell commands despite the availability of such an excellent alternative, we won’t stop you. However, please pay attention to these best practice directives to make sure your cmdlets behave as per your needs.
Make sure you have the necessary permission needed to run the advanced queries and cmdlets described in the post. Also, export all of the disabled users from Active Directory so you have a record of what’s been deleted.
Rename all AD groups that are empty and move them to a separate OU in your AD.
Sometimes built-in groups like “Domain Users” may appear empty due to primary group membership, but are not truly empty. So watch out for false positive results.
Likewise, false negative results are also possible. The script doesn’t check beyond the first layer of nesting, and groups can be part of other groups in an AD. So there can be a case where a parent group consists of only other groups as members, all of which are empty themselves. The script won’t be able to tell you that you will have to modify it on your end.
As mentioned earlier, exporting results requires further changes to the code, plus you won’t be able to retain the color code from the PowerShell-only visualization.
Conclusion
Here in this post, I taught you what all needs to be done in order to find empty groups in Active Directory. You need not make a PowerShell script from scratch, as we have included a sample working template for you to get a list of all unused security and distribution AD groups. Moreover, admins have the option to use the script’s free reporting tool that can look for memberless groups in your environment and provide a CSV report as well.