I was recently perusing Technet’s script repository which details all of the scripts related to Active Directory groups. It was fascinating in that these scripts did a lot of great things but required quite a lot of work if you wanted them for anything other than one-off requests. And that’s not even getting into the issue of supported operating systems.
But what really intrigued me is what do you do with these scripts. Some of them created objects or added members to groups but mainly they just returned a list of objects or reports. That got me thinking about search requests on our own website around our free Active Directory reporting tool, GroupID Reports. These reports do everything and more than these scripts do and are universal and don’t require any manual effort. Heck, you can even schedule them to run and have them emailed to you.
But still, what do you do with it? The most common search term around reports that we get is “active directory groups with no members”. Our report generates a list of them, you can import it into Excel and run a powershell script to delete them, but that, again, requires a bit of effort. We are in the business of reducing effort. So I took a more discerning eye to GroupID and realized we *have* to be able to give our customers a way to do something about these empty groups.
And I found it in GroupID’s MMC. It’s as simple as filtering on the Member attribute in the all groups subnode. If it’s null, then list it. Additionally, maybe you want groups with no members and no owner, just add an additional filter on the managedBy attribute. Then you get empty ownerless groups, just the sort you don’t want hanging around your directory.
Highlight these groups (in the screenshot I decided to only highlight distribution lists, leaving the security groups untouched for now) and select from your options in the action pane (or left click). I want to expire these because there might be some incredibly odd reason to bring them back in the future (you can set the time from expiration to deletion).
By expiring them, GroupID will un-mail-enable them, back up the membership, put a clever exp- in front of the group name, and remove them from the GAL. This renders them essentially useless. If somebody really wants these empty ownerless groups back, it’s as simple as clicking renew.
Finally, you can do something about these groups and judging by that action pane, GroupID can do a lot about them:
- move the groups
- expire, renew or delete the groups
- modify the group scope
- transfer ownership
- set security type
- set expiration policy
Think of anything that you can report on with GroupID Reports, you can take that functionality and now do anything to those groups in GroupID.
That’s what you do about Active Directory groups with no members.
If you want to see even more, how about contacting us.
get a demo
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.