How To Find AD Groups Without Manager Using PowerShell

How To Find AD Groups Without Manager

If you have been managing an Active Directory domain for a while, you would have come across the clean up exercise of everything that is not used / needed. One of the process around groups is to find the groups that are not managed or have a managedby attribute set. The idea is to get these groups and have an owner set, so that they can be managed more efficiently.

This becomes more important for distribution groups, to make sure that the members of the group represent the team & the memberships have been kept up-to-date with users moving departments, getting promoted etc.

How to find AD groups without manager

Below is how an AD group which does not have a manager set looks like.

RELATED - Find All Empty AD Groups Using PowerShell

Method 1 – Using Filter

Run the powershell command below to find all groups which does not have a ManagedBy (manager) field set.

Get-ADGroup -Filter * -Properties managedby | Where-Object {$_.managedby -eq $null} | select name

The above command will bring all AD groups (including the built-in ones) and we don’t need them. The better way is to target the OU where all the groups are, so that the output is more useful.

Method 2 – Using Search Base

Run the below command to filter on OU level by using the ‘searchbase’ parameter.

Get-ADGroup -Filter * -Properties managedby -searchbase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | Where-Object {$_.managedby -eq $null} | select name

The output can be exported to a CSV file with the information that you need by running the command below.

Get-ADGroup -Filter * -Properties managedby -searchbase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | Where-Object {$_.managedby -eq $null} | select name, samaccountname, description | export-csv .\GroupsWithoutManagers.csv -notypeinformation

Method 3 – Using LDAP Filter

While the above command works, it is not that efficient as we are grabbing all the AD groups first and then removing the ones we don’t need. A better command will be to use the LDAP filter, especially if you have thousands of groups to parse through.

Get-ADGroup -LDAPFilter "(!managedBy=*)" -SearchBase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | select name, samaccountname, description

Use the export-csv cmdlet to export the data to a csv file, as shown below.

Get-ADGroup -LDAPFilter "(!managedBy=*)" -SearchBase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | select name, samaccountname, description | export-csv .\GroupsWithoutManagers.csv -notypeinformation

Please let me know if you have any questions in the comments section.

Other Popular Articles


Promote Windows 2025 To Domain Controller

Promote Windows Server 2025 To Domain Controller

Force Ping To Respond With An IPv4 Address

Force Ping To Respond With IPv4 Address

How To Fix GetADGroupMember Size Limit Exceeded Error

Get-ADGroupMember – The size limit for this request was exceeded error

Leave a Comment