empty AD groups and risk

we have done an audit of our of our AD domains, and found several hundred empty AD groups (no members). Our admins don't seem particularly concerned about this, even though accepted its years worth of bad housekeeping. I am wondering if they have overlooked any risks in leaving the empty groups in place even though clearly serving no operational purposes to the business. Is there any risk in leaving masses of empty security groups in a domain, if so what?
Who is Participating?
Hello ThereSystem AdministratorCommented:
Well, everything is vulnerable.
One way attackers can obtain elevated privileges is to add their account to an AD group with privileges. The more AD groups, the more opportunities. You probably do not remember which group has which privileges, you can forget that members of the specific group have permission to modify something etc if you don't use it. And potential attacker can misuse it.

I suggest you to use a script that will clear all empty groups. HERE and HERE
Costs nothing and does its job.

You should do the same with empty OU and unused GPOs.
Shaun VermaakTechnical Specialist/DeveloperCommented:
It is a clear indicator that other housekeeping is not being done.

Before deleting any group, enable AD recycle bin

Here are a few operational tools for AD
Hello ThereSystem AdministratorCommented:
Good point to enable Recycle Bin. Give it some time before permanent deletion. At least one month. Sometimes you need some objects back.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

pma111Author Commented:
>You probably do not remember which group has which privileges

Is it common to find permissions on groups allow global groups like everyone domain users etc can modify the groups and add their own accounts to groups or is that unlikely?
Hello ThereSystem AdministratorCommented:
Well, in domain environment users can use something like AD scan or AD sniffer to get the list of all users and groups. That's why you shouldn't use a Description field for sensitive information.

They also might see a permission list of users and groups under folder properties unless you disable this.

But they cannot modify anything in AD if they don't have elevated permissions.
Naveen SharmaCommented:
Use powershell something like: Get-ADGroup -Filter * -Properties Members | where { $_.Members.Count -eq 0 } to find and if not required you can delete the group.

Also, get help from below articles:

Enable Active Directory Recycle Bin:

Find all orphaned objects in Active Directory and move them to New OU:

Active Directory Cleanup Tool:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.