Link to home
Start Free TrialLog in
Avatar of FBOLTS
FBOLTS

asked on

Finding unused groups using LDAP

I would like to clean my AD structure of all the unused groups. There are currently numerous Security / distribution groups that i am certain are no longer used. I would like to create an LDAP query to find out which groups havent been used / have no members / havent been modified for over a year. What is the bvest way to do this?
ASKER CERTIFIED SOLUTION
Avatar of Farhan Kazi
Farhan Kazi
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of FBOLTS
FBOLTS

ASKER

Hi Farhankazi - thanks for that. So if i run that query at a root folder will it run against objects further down the structure?
Correct.
Avatar of FBOLTS

ASKER

i have tried running both queries and neither return anything. I know there are empty groups though?!
You are running queries from command prompt right?
Avatar of FBOLTS

ASKER

no i am in the SAVED QUERIES portion. i am creating a new query, selecting advanced custom query and pasting the code snippets.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of FBOLTS

ASKER

Cool - it works but how do i specify the OU to begin the query at?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of FBOLTS

ASKER

The empty one works fine but i think i need to tweak the other one. How can i specify in the query that i would like to see all groups that havent changed for over 1 year?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of FBOLTS

ASKER

so the query returns ALL groups and i have to manipulate the data to see those that havent changed for over a year? isnt that a way of capturing only those that havent changed?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi,

I am also in this process to clean up old groups. But the above commands helps on the modified date stuff. Infact there are multiple groups which will be actually in use but it might not be modified for long time. is there any way that we can find the inactive groups instead of going by modified date.

Dsquery helps to get the inactive computer accounts & the user accounts, depending on the access of the same. in the same way, can we find out which is last date the alias (DL or Security) being received emails ?

Thanks in advance.