If you have been managing an Active Directory domain for a while, you would have come across the clean up exercise of everything that is not used / needed. One of the process around groups is to find the groups that are not managed or have a managedby attribute set. The idea is to get these groups and have an owner set, so that they can be managed more efficiently.
This becomes more important for distribution groups, to make sure that the members of the group represent the team & the memberships have been kept up-to-date with users moving departments, getting promoted etc.
Table of Contents
How to find AD groups without manager
Below is how an AD group which does not have a manager set looks like.
RELATED - Find All Empty AD Groups Using PowerShell
Method 1 – Using Filter
Run the powershell command below to find all groups which does not have a ManagedBy (manager) field set.
Get-ADGroup -Filter * -Properties managedby | Where-Object {$_.managedby -eq $null} | select name
The above command will bring all AD groups (including the built-in ones) and we don’t need them. The better way is to target the OU where all the groups are, so that the output is more useful.
Method 2 – Using Search Base
Run the below command to filter on OU level by using the ‘searchbase’ parameter.
Get-ADGroup -Filter * -Properties managedby -searchbase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | Where-Object {$_.managedby -eq $null} | select name
The output can be exported to a CSV file with the information that you need by running the command below.
Get-ADGroup -Filter * -Properties managedby -searchbase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | Where-Object {$_.managedby -eq $null} | select name, samaccountname, description | export-csv .\GroupsWithoutManagers.csv -notypeinformation
Method 3 – Using LDAP Filter
While the above command works, it is not that efficient as we are grabbing all the AD groups first and then removing the ones we don’t need. A better command will be to use the LDAP filter, especially if you have thousands of groups to parse through.
Get-ADGroup -LDAPFilter "(!managedBy=*)" -SearchBase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | select name, samaccountname, description
Use the export-csv cmdlet to export the data to a csv file, as shown below.
Get-ADGroup -LDAPFilter "(!managedBy=*)" -SearchBase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | select name, samaccountname, description | export-csv .\GroupsWithoutManagers.csv -notypeinformation
Please let me know if you have any questions in the comments section.