Get all empty groups in Active Directory

Question

I am stuck trying to figure out how to get all Active Directory groups that are empty. I came up with this command, which selects groups that have no Members and aren't a MemberOf anything.

Get-QADGroup -GroupType Security -SizeLimit 0 | where-object {$_.Members.Count -eq 0 -and $_.MemberOf.Count -eq 0} | select GroupName, ParentContainer | Export-Csv c:\emptygroups.csv

This is mostly correct, but it's saying certain groups like the default group Domain Computers is empty, but it isn't empty. This particular group has only members that are computers, but it appears that other groups that only have computers as well aren't selected.

Does anyone know why this command is pulling in some that have members?

Answer 1

The Get-QADGroup cmdlet has a parameter -Empty. The description in the help hints at the reason these default groups are being returned:

Note: A group is considered empty if it has the "member" attribute not set. So, this parameter can retrieve a group that has only those members for which the group is set as the primary group. An example is the Domain Users group, which normally is the primary group for any user account while having the "member" attribute not set.

I'm not really familiar with the Quest stuff, but I was able to find empty groups this way, (probably not the most efficient):

Get-ADGroup -Filter {GroupCategory -eq 'Security'} | ?{@(Get-ADGroupMember $_).Length -eq 0}

Answer 2

Actually it will be a lost faster in environments with multiple domains, large number of groups (and large number of users) to run it as a script. Note: you will need to have PowerShell Active directory module loaded (import-module activedirectory)

     $domains = Get-ADForest|select -ExpandProperty domains
     $empties = @()
     $oops = @()
     foreach ($d in $domains){
     $groups = get-adgroup -filter * -server $d
     foreach ($g in $groups){
     $q = get-adgroup $g -properties members -server $d|select -expandproperty members
     If(!$?){$oops += $g
     write-host $g.name}
     if ($q -eq $null) {$empties += $g}
     }
     }
     $empties|select name,distinguishedname|export-csv .\empties.csv
     $oops|select name,distinguishedname|export-csv .\oops.csv

Answer 3

This line will do (use Import-Module ActiveDirectory first):

Get-ADGroup -Filter * -Properties Members | where { $_.Members.Count -eq 0 }

Answer 4

Was able to get the values properly by piping in Get-QADGroupMember and getting the count of Members and MemberOf which could then be filtered. This seems terribly inefficient, but it serves the purpose to get the counts needed.

Get-QADGroup -SizeLimit 0 | Select-Object Name,@{n='MemberCount';e={ (Get-QADGroupMember $_ -SizeLimit 0 | Measure-Object).Count}},@{n='MemberOfCount';e={ ((Get-QADGroup $_).MemberOf | Measure-Object).Count}}

If anyone has a better way to do this, do tell.

Answer 5

This version will display only the groupcategory and SAMaccountname. Name could also be used in place of samaccountname. The groupcategory will show you if its a security group or a DL.

Get-ADGroup –Filter * -Properties Members | where { $_.Members.Count –eq 0 } |select groupcategory,samaccountname >c:\temp\nomembers.csv

Answer 6

This worked for me.

Get-ADGroup -Filter {GroupCategory -eq 'Security'} -Properties Members | where { $_.Members.Count -eq 0 } | Select Name | Sort-Object Name