Link to home
Create AccountLog in
Avatar of xP3000
xP3000Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Active Directory Groups


I've been given a new task in our Active Directory, we have a "Security Groups Global" OU and within this OU there are 1831 security groups!

my task is to search and look at each of these groups to find out if any are empty and delete the security groups which are empty! now searching 1831 groups is going to be boring and take quite a while... what i'm after is, is there another way of going about this? i.e. is there a tool out there which can do this for me? or a reporting tool that can tell me what groups are empty?

Kind Regards,

James Little
Avatar of wdurrett
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
You can also use the DumpSec tool to dump all the groups to a file to review.
The below vbs should do the trick. Save as a vbs file and run via cscript from the command line, e.g.

cscript getEmptyGroups.vbs

It should list all the groups that have no members.

In the script, change 'strOU' to the DN of the OU holding the groups, e.g. 'OU=Security Global Groups,DC=domain,DC=local'

Let me know how you get on.

strOU = "OU=Security Global Groups,DC=domain,DC=local"
Set objOU = GetObject("LDAP://" & strOU)
objOU.Filter = Array("group")

For Each objGroup In objOU
	If IsEmpty(objGroup.member) Then WScript.Echo "Empty - " &

Open in new window

A simple tool you are looking for is AD Manager Plus. You can download a free version from the below link
Install it and then you can  have your desire report .
IN AD Manager PLus Slect on AD Reports---Select Groups Reports---select Groups Without Members.
There You can have more reports as per your need. As well as you can manage your AD user and computers and groups.
Avatar of xP3000


Just what i was looking for me! thanks!