Member_2_79173
asked on
Looking for PowerShell script to make a list of all empty security groups in an OU or the domain, excluding distribution groups
I am looking for PowerShell code to export a list of all empty security groups in a specified OU or in the domain, to a .csv file. I found the following code online.
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name | Export-Csv H:\documents\reports\emprt ygroups.cs v –NoTypeInformation
The output is the empty groups in the whole domain. I think it finds both security groups and distribution groups but I always just want security groups.
I am just going to paste the code into a PowerShell command window so it can be bare bones and you can just give me two separate pieces of code - one for the whole domain and one to specify a specific OU.
I have PowerShell code for another similar task where the OU is specified by Distinguished Name like this:
$OU = "ou=Security Groups,ou=our OU,ou=User Accounts,ou=Our department,dc=our-organiza tion,dc=co m"
That would be an acceptable way to specify the OU and maybe I could just remove that line to specify the whole domain?
The names have been changed to protect the innocent.
Thanks,
Don
Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name | Export-Csv H:\documents\reports\emprt
The output is the empty groups in the whole domain. I think it finds both security groups and distribution groups but I always just want security groups.
I am just going to paste the code into a PowerShell command window so it can be bare bones and you can just give me two separate pieces of code - one for the whole domain and one to specify a specific OU.
I have PowerShell code for another similar task where the OU is specified by Distinguished Name like this:
$OU = "ou=Security Groups,ou=our OU,ou=User Accounts,ou=Our department,dc=our-organiza
That would be an acceptable way to specify the OU and maybe I could just remove that line to specify the whole domain?
The names have been changed to protect the innocent.
Thanks,
Don
Better:
Get-ADGroup -Filter 'GroupCategory -eq "Security"' -properties members -SearchBase "ou=Security Groups,ou=our OU,ou=User Accounts,ou=Our department,dc=our-organization,dc=com" | where {-not $_.members} | select Name, GroupCategory | ft -autosize
ASKER
McKnife,
I only tried the one marked Better: This works very well!
I have two requests. I can make this a new question if it will give you more points.
1. Would it be possible to have tabs separating the two columns instead of spaces?
2. Can you change the script so that it deletes all the empty security groups it finds? I realize this is potentially dangerous but would save us a lot of time.
Thanks,
Don
I only tried the one marked Better: This works very well!
I have two requests. I can make this a new question if it will give you more points.
1. Would it be possible to have tabs separating the two columns instead of spaces?
2. Can you change the script so that it deletes all the empty security groups it finds? I realize this is potentially dangerous but would save us a lot of time.
Thanks,
Don
ASKER
No worries.
So if I want to include the entire domain in the search, how would the code look?
Thanks,
Don
So if I want to include the entire domain in the search, how would the code look?
Thanks,
Don
donander, if you haven't yet used this command, please do me a favor and DON'T USE IT!
I was about to do the same as I thought, why not clean up a little myself, and for whatever reason, this command decides the group "domain-users" is empty, too, so it would be deleted! That would be the worst thing that could happen.
Let me clear this up, I'll be back soon.
I was about to do the same as I thought, why not clean up a little myself, and for whatever reason, this command decides the group "domain-users" is empty, too, so it would be deleted! That would be the worst thing that could happen.
Let me clear this up, I'll be back soon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Fortunately I did not run the code you posted that removes the groups.
So the code you just posted finds all the empty security groups (excluding distribution groups) in the domain but doesn't remove any?
That is what I currently want to do.
Thanks,
Don
So the code you just posted finds all the empty security groups (excluding distribution groups) in the domain but doesn't remove any?
That is what I currently want to do.
Thanks,
Don
Exactly, it just finds them.
Make it
Make it
Get-ADGroup -Filter 'GroupCategory -eq "Security"' -SearchBase "dc=our-organization,dc=com" | ?{(Get-ADGroupMember $_ -Recursive).Count -eq 0} | Remove-ADGroup
to remove as well (confirmation needed).
ASKER
Sorry for dragging my feet on accepting this as the solution.
McKnife exemplifies the best of EE and went above and beyond the call of duty to provide me with the solution I needed.
Thanks very much,
Donander
McKnife exemplifies the best of EE and went above and beyond the call of duty to provide me with the solution I needed.
Thanks very much,
Donander
You are very welcome and thanks for the recognition!
By the way, I just deleted 2 of my comments with "dangerous code", so that no one else might accidentally copy paste and use it... :-)
ASKER
Good idea!
ASKER
Sorry to do this to you but I just checked a couple of the security groups that the script found and one of them did have a member, but the member was another security group. Our team's practice is to make an LS group for the top folder of the file server location for each of our faculty members, then nest the Modify groups for the folders below into that LS group, thus providing the ability to traverse the tree down into a folder where a user may have Modify permissions. My guess is that the syntax of your script does not account for a security group being a member of another security group but only looks for users. I am happy to make a new question for this since this one is closed but if I do I want to make sure you will see it. I guess you can just look for another question from donander. Let me know. Thanks.
The script counts users in nested groups, too, so it would only then delete the"parent" group, if all rested groups were empty, too. That should be desirable behavior. Not?
ASKER
I have to go home in a few minutes so don't have time to check this but I think you are saying that if I look at the members of a group given by the script and there is another group shown in the Members list, I can bet that if I go look at that nested group it will be empty?
If so then cool.
If so then cool.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks!
Don
Don
Open in new window