Detect AD group without members using PowerShell

Active Directory groups are an important part of every network. As a rule, AD groups are used, for example, to control access authorizations or printer assignments .

The larger the network, the more confusing it becomes and therefore it should be checked more often which AD groups have no members. For example, errors in group assignments can be excluded or the empty AD groups can also be deleted under certain circumstances.

To empty AD groups without members or members find out the PowerShell console is ideal. We reported a few months ago on how to list the members of an AD group , today we would like to show you how to find AD groups without members .

Before you can run the following PowerShell script, you have to integrate the Active Directory module into the PowerShell console. This works with the following command.

import module activedirectory

With the following command you can now have the list of empty Active Directory groups displayed.

Get-ADGroup -Filter * -Properties Members | where {-not $ _. Members} | select name

We have shown you the process below as an example.

GET-ADGroup AD groups without members

As you can see, in our example Active Directory a total of 9 AD groups were found that have no members.

Since this list can be very extensive for larger Active Directory environments , you can output this output list to a text file by adding the parameter ” > drive: directory file name.txt ” and then process it further. The complete PowerShell command is then.

Get-ADGroup -Filter * -Properties Members | where {-not $ _. Members} | select name> drive: directory filename.txt

Finally, we have listed other useful PowerShell commands for the Active Directory .

– Determine computer accounts in AD that have not reported for a long time – Count the
number of AD (Active Directory) objects using PowerShell
– Determine LastLogon (last login) of a user in AD using Get-ADUser
– List AD user accounts that enter a profile path have
– Deactivate user account under Windows 10
– Determine which AD user has never logged in
– Create a list of all XP PCs in AD (Active Directory) – List
all deactivated AD accounts using PowerShell
– List of home directories, the home drive and create the profile path of all AD users
– list of users who have logged on to AD in the last “x” days
– output list of all AD users including email address