In this guide, I’ll show you how to find empty groups in Active Directory using PowerShell and the AD Pro Toolkit.
Administrators need to create Active Directory groups for various reasons but are those groups still in use? I’ve handled countless requests to create new groups and then those groups are never used or are no longer needed. The problem is the person who requested the group never notified you that it is no longer needed. So over time, you end up with a mess and a bunch of unused and empty groups.
How to Find Empty Groups Using PowerShell
With PowerShell, you can use the Get-ADGroup cmdlet to list empty groups. The below command will get all empty groups in the domain. It is important to note that many default groups have no members.
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name, distinguishedName I included the group name and distinguishedName in the output. You can change this by adding or removing the attributes in the select statement.
Here is a screenshot from my domain.
To verify a group is empty use this command.
Get-ADGroupMember -Identity 'group_110' | Select-Object name, distinguishedNameIn this example, I checked the group ‘group_110’ and it did not return any group members.
To export all empty groups to csv use this command. Change the group name and path.
Get-ADGroupMember -Identity 'group_110' | Select-Object name, distinguishedName | export-csv -path c:\temp\emptygroups.csvAs you can see finding empty groups with PowerShell is very easy.
Easily Find Empty Groups using the AD Pro Toolkit
The AD Pro Toolkit includes an Active Directory Reporting Tool with over 200 built-in reports. You can customize the reports, create your own reports and send automated email reports.
Step 1. Click on Group Members Reports
Select “Groups with no members” from the list of reports.
Step 2. Click Run to find all Empty Groups
Click run to find empty groups in the entire domain. If you want to search a specific OU click the browse button.
Very easy right? With just a couple of clicks, the toolkit can generate all kinds of Active Directory Reports.
To export the report click on the export button. You can also sort or search the results.
DomainLocal Empty Groups
For example, if I wanted to see only DomainLocal groups that have no members I would filter on the groupScope column.
Search for Empty Groups by Name
To search for an empty group by name click the search icon.
If you want to test this tool out in your domain for free, click the download button below.
Summary
In this guide, I showed you how to find empty groups with PowerShell and the AD Pro Toolkit.
If you don’t run regular maintenance on Active Directory you will have stale users, computers, and groups. Administrators love to create groups for various reasons but often forget to remove them if they are not being used. Finding unused groups can be challenging because it’s not easy to know where they might be in use. Finding empty groups can be a quick way to clean up those unused groups.
Robert,
Thanks for the “empty” script! WOW! What an eye opening export!! LOL!
The script works for me. It list all the empty OU’s and then exported to csv. Thanks again
Strange, this script returns “Domain Users” which is full of users and “Domain Controllers” with two AD machines? Is it OK?
These are special groups and AD gets the members differently. The script checks the member attribute and if blank it will return the group. If you open Domain Users in AD and go to the attribute editor the member attribute should say “not set” but the group will contain members. I do not know why Microsoft did this?? So the script is working correctly but its going to list these special groups because the member attribute will be blank *not set”.
Thanks for the powershell script!
Okay. Thank you.
Hey Robert. Is it possible to block websites from Domain users using GPO in Windows Server 2019? If ‘yes’, I’d be grateful if you can compose a guide on the configuration.
Not effectively. You can block access to an IP address but that will be a nightmare to manage as websites can have multiple IP addresses or can change. It is best to use a proxy filter or a network firewall.