Get Active Directory empty groups

move computer

Recently I was asked to find all Active Directory empty groups. In this case, I was using ActiveDirectory module commands with LDAP filters.

Active Directory empty groups

The Get-ADGroup cmdlet gets a group or performs a search to retrieve multiple groups from an Active Directory.

The Identity parameter specifies the Active Directory group to get. You can identify a group by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name, or canonical name. You can also specify group object variable, such as $<localGroupObject>.

To search for and retrieve more than one group, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, type Get-Help about_ActiveDirectory_Filter. If you have existing Lightweight Directory Access Protocol (LDAP) query strings, you can use the LDAPFilter parameter. For more details please visit Microsoft Docs.

In a large scale environment, it is recommended to use LDAP filters for queries. To find all groups that property ‘members’ is empty we will use the following filter:

#Filter
"(!(member=*))"

#Get all empty groups with default properties
Get-ADGroup -LDAPFilter "(!(member=*))"

#Get all empty groups with two properties
Get-ADGroup -LDAPFilter "(!(member=*))" -Properties Name,Members | select Name,Members
Empty groups

Below you can find script that first checks if ActiveDirectory module is installed. Next, it searching for empty groups and export results to CSV file on your desktop.


        ##### Import Modules ##########################################################         
        Try{
            Import-Module ActiveDirectory -ErrorAction Stop
        }
        Catch{
            Write-Warning $_.Exception.Message
            Read-Host "Script will end. Press enter to close the window"
            Exit
        }


        ##### Params ##################################################################
        $ReportPath  = "$env:userprofile\desktop\"
        $FileDate    = Get-Date -Format "yyyyMMddHHmmss"
        $OutputCsv   = "$ReportPath\Empty_Groups_$FileDate.csv"  


        ##### Properties ############################################################## 
        $Params = @{
            LDAPFilter   = "(!(member=*))"
            Server       = ($env:LOGONSERVER -replace "\\",'')
            Properties   = 'Name','GroupCategory','GroupScope','WhenChanged','WhenCreated'
        }
  
         
        ##### Get Empty groups ######################################################### 
        Get-ADGroup @Params | Select-Object Name,
                                            GroupCategory,
                                            GroupScope,
                                            WhenChanged,
                                            WhenCreated | Export-Csv $OutputCsv -NoTypeInformation 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.