Active Directory Friday: Find groups with no members

Occasionally groups may become obsolete or are never populated with members. It can be interesting to find out how many groups are in your organization that have no members, as action can be taken on it based on the output.

Overview of articles in this series
Active Directory Friday: Find groups with no members
Active Directory Friday: Principal group membership
Active Directory Friday: User account group membership

Because of the nature of how group membership is defined this article will be the first in a series of three. In this article I will show how group membership can be determined using an LDAP queries. The next article in this series will go into principal group membership and its implications and the final article will go into constructed attributes and how to work with constructed attributes, specifically the memberof attribute.

In this article I will give a a number of examples that can be used to determine which groups are empty. Using Get-ADGroup the following command can be executed to retrieve memberless groups:

Get-ADGroup -LDAPFilter '(!(member=*))'

Get-ADGroupNotMemberAnything

Alternatively the DirectoryServices.DirectorySearcher object can be used to achieve a similar result:

(New-Object DirectoryServices.DirectorySearcher -Property @{
 Filter = '(&(objectClass=group)(!(member=*)))'
 PageSize = 100
}).FindAll()

The [adsisearcher] type accelerator is another interesting alternative for this purpose, here is an example:

([adsisearcher]'(&(objectClass=group)(!(member=*)))').FindAll()

The problem with the above examples however, is that some groups will show up as being empty, for example the Domain Users group. Next week I will go into Principal group membership, what this is and how to query for this and by doing so generate more accurate results in regards to group membership.

For more information about the topics discussed in this article, please have a look at the following resources:

Active Directory Friday: Find groups with no members
Get-ADGroup
JaapBrasser.com – Active Directory Friday
Free ebook – Active Directory Friday All Articles
DirectoryServices.DirectorySearcher
Share

2 thoughts on “Active Directory Friday: Find groups with no members

  1. Doug R.

    I’m relatively new to PowerShell. I’m starting to pick it up in order to execute some specific tasks in our environment, one of which is (of course) working with AD.

    So, keeping in mind that I’m new, I’ve got a question for you. This is the only place I’ve run into the idiom: `$searcher = New-Object DirectoryServices.DirectorySearcher -Property @{ … }` (above). I understand from the context WHAT this is doing, but where is it DOCUMENTED?

    Thanks.

    Reply
    1. Jaap Brasser Post author

      Hello Doug R,

      Great to hear that you are just getting started with PowerShell, welcome to the wonderful world of scripting 🙂

      The best documentation that is available is actually linked in the article, the following MSDN article:
      https://msdn.microsoft.com/en-us/library/system.directoryservices.directorysearcher(v=vs.110).aspx

      But to break it down a bit further here are the steps I generally use:
      $Searcher = New-Object DirectoryServices.DirectorySearcher

      Now we have created a DirectorySearcher object, currently we have not configured it to search for anything in particular. So this would be the next step, setting up a LDAP filter, for example let’s search for the domain admins group:
      $Searcher.Filter = ‘samaccountname=domain admins’

      Now if we want the results of this search query we need to initiate the searcher, for example by telling it to search for any objects matching this query:
      $Searcher.FindAll()

      Reply

Leave a Reply

Your email address will not be published.