If you’re an it pro and you have either worked on an Active Directory for a long time or taken someone else’s over you will know that there are security groups that are just not used anymore but you’re afraid to delete them because they might be.

You can use the handy dandy set of simple PowerShell scripts below to determine which Active Directory groups are unused inside Active Directory, and therefore LIKELY safe to be deleted.

active directory cleanup

THERE IS NO ATTRIBUTE IN ACTIVE DIRECTORY THAT RECORDS WHEN A SECURITY GROUP WAS LAST QUERIED. Just because the scripts below do not show that a group isn’t being used somewhere, doesn’t guarantee that it isn’t being used anywhere. Think of the situation in which a firewall or VPN asks Active Directory for a list of users in a group named “USERS ALLOWS TO VPN IN”. These scripts will not tell you that group was actually still useful, and so deleting them still may be problematic.

You can use the following PowerShell script to identify groups that have no members or are not assigned to any resources (e.g., permissions, GPOs, etc.):

Replace “YourGroupName” and “YourOU” with the actual group name and organizational unit (OU) where you want to search.

# Specify the distinguished name (DN) of the group you want to check 
$groupDN = "CN=YourGroupName,OU=YourOU,DC=yourdomain,DC=com" 
# Get all computers in the specified search base (e.g., entire domain) 
$computers = Get-ADComputer -Filter * -SearchBase "OU=YourOU,DC=yourdomain,DC=com" 
# Check if the group is a member of the local Administrators group on each computer 
$groupUsages = Get-WmiObject win32_groupuser -ComputerName $computers | Where-Object { 
    $_.groupcomponent -like "*$groupDN*" 
# Print the results 
if ($groupUsages.Count -gt 0) { 
    Write-Host "The group $groupDN is being used on the following computers:" 
    $groupUsages | ForEach-Object { 
        $computerName = $_.partcomponent -replace '.*Name="([^"]+)".*', '$1' 
        Write-Host "- $computerName" 
} else { 
    Write-Host "The group $groupDN is not being used on any computers." 

Alternately, this script will search Active Directory for any groups with zero members:

$Groups = Get-ADGroup -Filter * -SearchBase "OU=Groups,DC=YourDomain,DC=com" -Properties Members,ManagedBy,Description

$GroupObject = ForEach ($Group in $Groups) {
    [PSCustomObject] @{
        Group       = $Group.SamAccountName
        MemberCount = ($Group.Members).count
        Description = $Group.Description
        ManagedBy   = $Group | Select-Object -ExpandProperty ManagedBy | Get-ADUser -Properties DisplayName | Select-Object -ExpandProperty DisplayName

$GroupObject | Where-Object MemberCount -eq 0 | Sort-Object Group | Export-csv -NoTypeInformation "C:\temp\EmptyGroups.csv"

These scripts are very handy for AD cleanup, as are our simple scripts to find all of your dead users accounts (i.e. accounts that have not been logged into for a period of time, like 1 year or more.)


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *