Most Active Directory environments are riddled with a common problem. That problem is group bloat! Group bloat is the concept that too many people have had the opportunity to create groups and they have exercised that opportunity without any control. As a result, the Active Directory environment has too many groups. There are some groups that have the exact same members, yet are dealt with as if the group membership is different. There are other groups that were created and never used. Many of these groups are empty.
It is this last example of group bloat, the empty groups, which I took upon myself to try and discover. A manual attempt to find empty groups is a tedious and painful one. It is possible, but only if I am getting paid by the hour!
I then went to the internet to try and find an easy command line option to get a listing of empty groups. Below are some of the suggested commands that would result in a list of empty groups:
First:
Get-ADGroup -Filter GroupCategory –eq ‘Security’ | Where-Object @(Get-ADGroupMember $_).Length –eq 0
Second:
‘Define Constants
Const ADS_SCOPE_SUBTREE = 2 ‘ Search target object and all sub levels
‘Set Variables
DQ = Chr(34) ‘Double Quote
‘Create Objects
Set objShell = CreateObject(“Wscript.Shell”)
‘Verifies script was run using CSCRIPT, and if not relaunches it using CSCRIPT
If Not WScript.FullName = WScript.Path & “cscript.exe” Then
objShell.Popup “Launched using wscript. Relaunching…”, 5, “WSCRIPT“
objShell.Run “cmd.exe /k ” & WScript.Path & “cscript.exe //NOLOGO ” & _
DQ & WScript.scriptFullName & DQ, 1, False
WScript.Quit 0
End If
‘Construct an ADsPath to the Current Domain with rootDSE
Set objRootDSE = GetObject(“LDAP://rootDSE“)
strADsPath = “LDAP://” & objRootDSE.Get(“defaultNamingContext“)
‘Connect to Active Directory
Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand = CreateObject(“ADODB.Command”)
objConnection.Provider = “ADsDSOObject“
objConnection.Open “Active Directory Provider”
Set objCommand.ActiveConnection = objConnection
objCommand.Properties(“Page Size”) = 1000
objCommand.Properties(“Searchscope“) = ADS_SCOPE_SUBTREE
objCommand.CommandText = “SELECT ADsPath,member FROM ‘” & strADsPath & _
“‘” & “ WHERE objectClass=’group’”
Set objRecordSet = objCommand.Execute
If objRecordSet.EOF Then
WScript.echo “Error, no groups found”
WScript.quit
Else
WScript.Echo “List of empty groups”
WScript.Echo “=============================================================”
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strGroupName = objRecordSet.Fields(“ADsPath“).Value
arrMembers = objRecordSet.Fields(“member”).Value
If IsNull(arrMembers) Then
WScript.Echo strGroupName
End If
objRecordSet.MoveNext
Loop
End If
WScript.Echo “Script has finished”
Third:
Get-QADGroup –GroupType Security –SizeLimit 0 | where-object $_.Members.Count –eq 0 -and $_. MemberOf.Count –eq 0 | select GroupName, ParentContainer | Export-Csv c:emptygroups.csv
Now, I am sure there are other options, but these are the first few I found. I am just a routine Active Directory admin and based on what I see, these are just not “plug and play” commands! There will be many iterations and gyrations in trying to get these to work in your environment.
Instead of punishing yourself with such painful commands and attempting to get them to work, why not use a simple, “one click” solution like you have in ADManager Plus? Look at Figures 1 and 2 to see what I mean.
Figure 1. ADManager Plus group reports.
Figure 2. ADManager Plus report on groups without members.
From this list, you can click on any group to modify it. You can multiple select and delete. You can save the list in nearly any format you want. You can even move the groups to a special organization unit for organizational purposes.
Tell me that is not easier than trying to figure out how to get the list and then manipulate the contents of the list by using a command!
You Can Learn More About the ManageEngine Product Line By Going to manageengine.optrics.com
The original article/video can be found at Overcoming Active Directory Group Bloat!