Whether it’s time for spring cleaning or you’re just doing some general cleanup, it’s important to maintain a proper lifecycle around Active Directory groups. Many organizations love creating groups however, some (most?), don’t really like to do cleanup because they’re scared it might break something. While this is true, it’s still a good thing to keep a tight ship and have some automation around cleanup. Today we’re going to go over the query to find empty groups in Active Directory using PowerShell.
I previously wrote a post about using the ActiveDirectory module with Get-ADUser. The idea was to find AD users using PowerShell and went over several advanced topics. Feel free to check that to get familiar with the overall commands since Get-ADGroup is going to use something similar.
Here, the Get-ADGroup cmdlet is going to be used to filter all groups that have no members and move them to a separate OU for further processing. Since we are a little cautious when it comes to making bulk changes like this, I would suggest moving them to a staging OU where they can be left there for 30-60 days. Since these groups are empty, chances are no one is going to be missing them but it’s a good idea to separate them first, then move forward with deleting.
Before we delete anything, I would strongly recommend you enable the AD recycle bin so you can recover objects without hesitation.
Find Empty Groups in Active Directory using PowerShell
#Get All empty groups in the entire domain. Be careful with Exchange and other built-in groups.
$AllEmptyGroupList = Get-ADGroup -Filter {Members -notlike "*" } -Properties Members, WhenChanged, WhenCreated
#Get all empty groups that have not been touched in longer than 6 months. Be careful with Exchange and other built-in groups.
$CutOffDate = (Get-Date).AddMonths(-6)
$SixMonthEmptyGroupList = Get-ADGroup -Filter {Members -notlike "*" -and WhenChanged -lt $CutOffDate} -Properties Members, WhenChanged, WhenCreated
#Get all stale groups from a specific OU (Preferred)
$EmptyGroupList = Get-ADGroup -Filter {Members -notlike "*" -and WhenChanged -lt $CutOffDate} -Properties Members, WhenChanged, WhenCreated -SearchBase 'OU=My Groups,DC=contoso,DC=com'
Hopefully, you were able to understand how to find empty groups in Active Directory using PowerShell to better manage your group lifecycle. If a group is empty and hasn’t been modified in over 6 months, it’s a pretty good sign that it is no longer needed and can be purged.
Again, I would highly recommend you enable the recycle bin but with this you should be able to start off slowly and decommissioning in whatever approach you feel necessary.
