Finding Empty AD Groups using Powershell

Nice one liner to find AD groups with no members:

Get-QADGroup -SizeLimit 0 |
    Where-Object {$_.Members.Count -eq 0}

Using Quest AD Cmdlets. Needed this today while doing a security audit of a folder subtree on a file server and wondering why half the groups were not appearing in the membership sub-report.

IF an AD group has no members, and is not a member of a parent group, is it actually serving any purpose, or can you delete with prejudice? Levae a comment with your thoughts 🙂

*Updated* hat tip to Scott (see comments) has provided a more concise piece of code. I’ve updated this post accordingly.

7 thoughts on “Finding Empty AD Groups using Powershell

  1. Scott

    Also, I noticed you were getting the groups twice. You can make it more concise:

    Get-QADGroup -SizeLimit 0 | Where-Object {$_.Members.Count -eq 0}

    1. Ben Post author

      Gah, right again! In fact you have left me wondering what I was thinking when I put this on the blog, because when I wrote the script console, I definitely used $_.
      I guess in my hurry to write the blog post, I got a bit dyslexic 🙂 Updated.

  2. Kirk

    Thanks for this post, it helped get me on the right track. While this is an older post, I figure I’d post in case someone else finds it useful.

    I did manage to come up with a quicker command that helps on my end since we have a HUGE Active Directory setup (really really huge). Using the -Empty flag speeds this up considerably in a large domain, otherwise yours works perfectly.

    Get-QADGroup -Empty $true -SizeLimit 0

    Or in my case I just needed Security groups only.

    Get-QADGroup -GroupType Security -Empty $true -SizeLimit 0

    The advantage here with large data sets is adding in a piped-where clause causes PowerShell to get all groups first, then filter. The -Empty flag filters from the get-go and is quicker.

    Due to the size of our AD setup, the -Empty flag shaves a number of minutes off of the command time.

Comments are closed.