Empty AD groups are part of the game for anyone managing an Active Directory domain. While there are built-in groups which could be empty for valid reasons, I am sure we all have had our fair share of AD groups which has no members at all.
It is good to find these groups once in a while and delete them which will make AD clean and managable.
AD Groups With No Members
Below is how an AD group with no members looks like.
Keep in mind that there are built-in AD groups which are empty and they should not be deleted.
RELATED - Find All AD Groups With No Manager Set
How to find empty AD groups (no members)
While you can construct the commands in a number of ways, we will go through three variations.
Method 1 – Using Filter Parameter
Run the powershell command below to find all groups which does not have any members in it.
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name
The above command will bring all AD groups (including the built-in ones) and we don’t need them. The better way is to target the OU where all the groups are, so that the output is more useful. This is based on the assumption that you have a good OU structure (haha).
Run the below command to filter on OU level by using the ‘searchbase’ parameter.
Get-ADGroup -Filter * -Properties Members -searchbase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | where {-not $_.members} | select Name
The output can be exported to a CSV file with the information that you need by running the command below.
Get-ADGroup -Filter * -Properties Members -searchbase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | where {-not $_.members} | select Name, samaccountname, description | export-csv .\EmptyGroups.csv -notypeinformation
Method 2 – Using LDAPFilter
While the above command works, it is not that efficient as we are grabbing all the AD groups first and then removing the ones we don’t need. A better command will be to use the LDAP filter, especially if you have thousands of groups to parse through.
Get-ADGroup -LDAPFilter "(!member=*)" | select name, samaccountname
Same as the above command, you can filter the output based on the OU you need.
Get-ADGroup -LDAPFilter "(!member=*)" -SearchBase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | select name, samaccountname, description
Use the export-csv cmdlet to export the data to a csv file as shown below.
Get-ADGroup -LDAPFilter "(!member=*)" -SearchBase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | select name, samaccountname, description | export-csv .\EmptyGroups.csv -notypeinformation
Method 3
Another variation of the command is shown below.
Get-ADGroup -Filter { Member -NotLike "*"} | Select name
You can filter on an OU level of your choice to omit any built-in groups.
Get-ADGroup -Filter { Member -NotLike "*"} -SearchBase "OU=Users,OU=Cloudiffic,DC=CLOUDIFFIC,DC=XYZ" | select name, samaccountname, description
Method two will be best if you have a lot of groups to parse through in AD, which is typical for large organizations.
Please let me know if you have any questions in the comments section.
