In this guide, I’ll show you how to find empty groups in Active Directory.
What are empty groups?
Empty Active Directory groups are groups that have no members. For example, I have a group called “finance_treasury” in my domain but the members tab is empty.
What is the concern with empty groups?
The concern with empty Active Directory groups is over time they will clutter up your domain and cause confusion. Administrators love to use groups but often they are created for various reasons and then never used in production. The administrator often forgets to remove the group which leaves an empty and unused group in your domain.
How to List Empty AD Groups
The Active Directory User console has no built-in option to display empty groups. To resolve this issue I included a filter in the AD Cleanup Tool that will quickly display all empty groups.
Step 1. Click on Filters
Step 2. Select Groups Without Members
Step 3. Click the run button
You will now have a list of all empty groups in your domain.
To export the list click the export button and choose your format.
That was easy right? You now have a list of all empty groups in your domain.
If you want to test this tool out in your domain for free, click the download button below.
Default Builtin Empty Groups
Active Directory includes many built-in groups that by default are empty. You can see this list by clicking on the Built-in folder in Active Directory. I recommend that you do not delete the default built-in groups.
Additional Active Directory Group Reports
The AD Pro Toolkit includes over 200 Active Directory Reports for users, computers, groups, group policies, and more.
- Report on all groups
- Recently created groups
- Recently modified groups
- Group membership reports
- Managed and unmanaged groups
- Groups not protected from deletion
- and much more
Below is a screenshot of the report Groups modified in last 7 days.
As a Windows Administrator, being able to quickly generate group and user reports is a huge time saver. Sometimes we don’t have the time to mess around with complicated PowerShell scripts and just need a quick report. This is a tool that my entire team can use with no training. You can try it out in your domain for free. Download Free Trial.
Find Empty Groups with PowerShell
With PowerShell you can use the Get-ADGroup cmdlet to list empty groups. The below command will get all empty groups in the domain.
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name
Summary
In this guide, I showed you how to find empty groups with the AD Cleanup Tool and PowerShell. In addition, I showed you some of the many built-in group reports included in the AD Pro Toolkit.
If you don’t run a regular maintenance cleanup on Active Directory you will have stale users, computers, and groups. Administrators love to create groups for various reasons but often forget to remove them if they are not being used. Finding unused groups can be challenging because it’s not easy to know where they might be in use. Finding empty groups can be a quick way to clean up those unused groups.
Hey Robert. Is it possible to block websites from Domain users using GPO in Windows Server 2019? If ‘yes’, I’d be grateful if you can compose a guide on the configuration.
Not effectively. You can block access to an IP address but that will be a nightmare to manage as websites can have multiple IP addresses or can change. It is best to use a proxy filter or a network firewall.
Okay. Thank you.