PowerShell: Find and Delete Empty Groups in Active Directory
Cleanup Empty AD Groups with PowerShell
Administrators turn to groups to grant a set of users permissions and access rights to resources. However, once the work is done and the resources are no longer needed, the users are removed from the group, leaving the group empty, but with permissions and access rights. As a thumb rule, admins should either delete or disable any unwanted objects to keep their AD environment clutter-free and safe. This applies for groups as well. The following PowerShell script will help spot empty groups and automatically delete them.
- Import-Module ActiveDirectory
-
#-------------------------------
# FIND EMPTY GROUPS
#-------------------------------
# Get empty AD Groups within a specific OU
$Groups = Get-ADGroup -Filter { Members -notlike "*" } -SearchBase "OU=GROUPS,DC=testlab,DC=com" | Select-Object Name, GroupCategory, DistinguishedName
#-------------------------------
# REPORTING
#-------------------------------
# Export results to CSV
$Groups | Export-Csv C:\Temp\InactiveGroups.csv -NoTypeInformation
#-------------------------------
# INACTIVE GROUP MANAGEMENT
#-------------------------------
# Delete Inactive Groups
ForEach ($Item in $Groups){
Remove-ADGroup -Identity $Item.DistinguishedName -Confirm:$false
Write-Output "$($Item.Name) - Deleted"
- }
Related Articles
Find nested Active Directory groups using PowerShell
Get AD Nested Group Membership with PowerShell Active Directory supports the feature of nesting groups inside one another. For example, consider two groups: GroupHR and GroupFinance. GroupFinance can be a member of GroupHR. If I assign GroupHR write ...
How to Find and Delete Inactive User Accounts in Windows Active Directory
Finding and Deleting Obselete User Accounts Stale user accounts in Active Directory are a significant security risk since they could be used by an attacker or a former employee to wreak havoc in your Windows environment. In addition to the security ...
Find and Delete Unliked GPOs
Cleaning up Unlinked GPOs using PowerShell Unlinked GPO's, otherwise called orphaned GPOs are not linked to any Active Directory sites, domains, or organizational units (OUs). To minimize management overhead, these unlinked GPO's should be deleted as ...
Nested Groups in Active Directory
You can make one group a member of another by using nesting of groups in Active Directory. Group Members can be Universal groups User accounts, computer accounts, global groups and other universal groups Global groups User accounts, computer accounts ...
Enable Active Directory Recycle Bin | PowerShell
What is Active Directory Recycle Bin? While using Active Directory (AD), administrators tend to accidentally delete objects such as users, computers, groups or organizational units (OUs). This may cause complications in the network functionality and ...