empty AD groups and risk

we have done an audit of our of our AD domains, and found several hundred empty AD groups (no members). Our admins don't seem particularly concerned about this, even though accepted its years worth of bad housekeeping. I am wondering if they have overlooked any risks in leaving the empty groups in place even though clearly serving no operational purposes to the business. Is there any risk in leaving masses of empty security groups in a domain, if so what?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello ThereSystem AdministratorCommented:
Well, everything is vulnerable.
One way attackers can obtain elevated privileges is to add their account to an AD group with privileges. The more AD groups, the more opportunities. You probably do not remember which group has which privileges, you can forget that members of the specific group have permission to modify something etc if you don't use it. And potential attacker can misuse it.

I suggest you to use a script that will clear all empty groups. HERE and HERE
Costs nothing and does its job.

You should do the same with empty OU and unused GPOs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
It is a clear indicator that other housekeeping is not being done.

Before deleting any group, enable AD recycle bin

Here are a few operational tools for AD
Hello ThereSystem AdministratorCommented:
Good point to enable Recycle Bin. Give it some time before permanent deletion. At least one month. Sometimes you need some objects back.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

pma111Author Commented:
>You probably do not remember which group has which privileges

Is it common to find permissions on groups allow global groups like everyone domain users etc can modify the groups and add their own accounts to groups or is that unlikely?
Hello ThereSystem AdministratorCommented:
Well, in domain environment users can use something like AD scan or AD sniffer to get the list of all users and groups. That's why you shouldn't use a Description field for sensitive information.

They also might see a permission list of users and groups under folder properties unless you disable this.

But they cannot modify anything in AD if they don't have elevated permissions.
Naveen SharmaCommented:
Use powershell something like: Get-ADGroup -Filter * -Properties Members | where { $_.Members.Count -eq 0 } to find and if not required you can delete the group.

Also, get help from below articles:

Enable Active Directory Recycle Bin:

Find all orphaned objects in Active Directory and move them to New OU:

Active Directory Cleanup Tool:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.