Tag Archives: Group

Active Directory Friday: Find groups with no members

Occasionally groups may become obsolete or are never populated with members. It can be interesting to find out how many groups are in your organization that have no members, as action can be taken on it based on the output.

Overview of articles in this series
Active Directory Friday: Find groups with no members
Active Directory Friday: Principal group membership
Active Directory Friday: User account group membership

Because of the nature of how group membership is defined this article will be the first in a series of three. In this article I will show how group membership can be determined using an LDAP queries. The next article in this series will go into principal group membership and its implications and the final article will go into constructed attributes and how to work with constructed attributes, specifically the memberof attribute.

In this article I will give a a number of examples that can be used to determine which groups are empty. Using Get-ADGroup the following command can be executed to retrieve memberless groups:

Get-ADGroup -LDAPFilter '(!(member=*))'


Alternatively the DirectoryServices.DirectorySearcher object can be used to achieve a similar result:

(New-Object DirectoryServices.DirectorySearcher -Property @{
 Filter = '(&(objectClass=group)(!(member=*)))'
 PageSize = 100

The [adsisearcher] type accelerator is another interesting alternative for this purpose, here is an example:


The problem with the above examples however, is that some groups will show up as being empty, for example the Domain Users group. Next week I will go into Principal group membership, what this is and how to query for this and by doing so generate more accurate results in regards to group membership.

For more information about the topics discussed in this article, please have a look at the following resources:

Active Directory Friday: Find groups with no members
JaapBrasser.com – Active Directory Friday
Free ebook – Active Directory Friday All Articles

Manage SCOM Report Operators role using PowerShell

Sharing SCOM reports with other users can be facilitated by adding those users to the SCOM Report Operator role. To view the users and groups that are a member of this role the following can be executed:

Get-SCOMUserRole -Name 'Operations Manager Report Operators'

The best practice is to add users into an AD group and then placing the user in that AD group. If there is already an AD Group in the User Role then the user can be added to that group directly. Otherwise an AD Group can be created and added to the SCOM User Role as follows:

# Create Domain Local Security Group
$TargetOU = [adsi]'LDAP://OU=SCOM,OU=Groups,DC=jaapbrasser,DC=com'
$Group = $TargetOU.Create('group','cn=SCOM_Report_Operators')
# Add the newly created group to the SCOM User Role
Get-SCOMUserRole -Name 'Operations Manager Report Operators' | ForEach-Object {
    Set-SCOMUserRole -UserRole $_ -User ($_.Users+'jaapbrasser\SCOM_Report_Operators')

Since the Set-SCOMUserRole cmdlet does not support adding a group or user account we are used to use ForEach-Object as an alternative to include the current User Role Members. By concatenating the existing users with the new user, domain\jaapbrasser, the new user is added to the User Role Members.
Now that the Active Directory group has been created and added to the list the user account can be added to the AD group:

$ADGroup = [adsi]([adsisearcher]'samaccountname=SCOM_Report_Operators').findone().path
$User = ([adsisearcher]'samaccountname=jaapbrasser').findone().path

Now that the AD Group has been added as a User Role member and the user has been added to the correct Active Directory group the user has the appropriate permissions to be able to view the reports created by SCOM.

SCOM Report Operators User Role
Implementing User Roles